Saturday, October 02, 2010

Interesting M.O. Were their procedures so weak it was easy for the bad guys to replace POS terminals or did they happen to have an ALDI T-shirt and therefore looked “official?” Either way, this is a big (geographically) crime.

(Update) ALDI breach reports mushroom, customers in 11 states affected

October 1, 2010 by admin

The breach involving ALDI grocery stores is apparently larger than earlier reports suggested as reports trickle in from Pittsburgh and other areas. The chain has updated its statement on its website today:

October 1, 2010

ALDI Inc. recently learned that, from approximately June 1, 2010 to August 31, 2010, tampered payment card terminals were illegally placed in some ALDI stores, enabling unauthorized individuals to fraudulently obtain payment card information from a limited number of our customers. [“Limited” to everyone who used a Debit or Credit card on these terminals...” Bob] The tampered terminals were capable of capturing information such as name, card account number and PIN. We believe some terminals in a limited number of stores in the following areas may have been impacted:

Connecticut (limited to greater Hartford area)
Georgia (limited to greater Atlanta area)
Illinois (limited to greater Chicago area)
Indiana (limited to greater Indianapolis area)
New Jersey
New York (limited to greater Rochester area and Lower Hudson Valley)
North Carolina (limited to greater Charlotte and Raleigh areas)
Pennsylvania (limited to greater Pittsburgh and Philadelphia areas)
South Carolina (limited to greater Charlotte area)
Virginia (limited to greater Washington, D.C. area)


ALDI says that they are a leader in the international grocery retailing industry, serving Europe, the USA and Australia and that they have over 1,000 stores in 29 states, serving 18 million customers each month.

Perspective. If you have “covered up” your security breach, would you be surprised to learn your customers no longer trusted you?

Staring into the abyss: how many breaches go unreported?

October 1, 2010 by admin

While compiling data breach reports submitted to Maine a few months ago, one of the things I discovered (no pun intended), was that Discover submits batched reports to at least two states. Their reports indicate how many Discover card members are affected by the incidents, but their logs don’t provide much detail about the incidents themselves.

I’m concerned that for many of the breaches they report, we have never seen breach reports filed by the entities themselves nor media reports on the incidents. For now, though, let’s start with what I found when I received one batch of their reports to NYS. Keep in mind as you read the summaries that we are only talking about the number of Discover card users affected by the incidents and for only two states. The numbers affected by each incident could be considerably higher, but since the entities themselves never filed breach reports with NYS or Maine, I have no additional information at this time.

[Details omitted Bob]

Taken together, these breach summaries from Discover to two states suggest that there are many reportable breaches that are not getting reported to states by the breached entities themselves. Based on what I obtained, I would estimate that as a crude guess, there might easily be 70 or more business/hospitality sector breaches each year where the entities have not filed breach reports as required by just these two states. And that’s just for those using Discover cards.

The fact that in at least some cases, breaches are seemingly remained undetected for long periods continues to be a concern. But who, if anyone, is working with Level 4 merchants to help them comply with breach reporting requirements after they do realize that they’ve had a breach?

This is where one uniform breach-reporting requirement and standardized form would be a boon, as it should promote greater compliance with reporting requirements. Of course, we need Congress to actually pass such a bill, but hey, one can always hope.

Is there any suggestion that this “collection” is random or even ubiquitous? Surely collection of everything at a crime scene would be okay, even without the criminal's “consent?”

Article: DNA Theft: Recognizing the Crime of Nonconsensual Genetic Collection and Testing

By Dissent, October 1, 2010

Elizabeth E. Joh of the U.C. Davis has an article in a forthcoming issue of the Boston University Law Review (Vol. 91, 2011). Here’s the abstract:

The fact that you leave genetic information behind on the discarded tissues, used coffee cups, and smoked cigarettes everywhere you go is generally of little consequence. The trouble arises when third parties are interested in retrieving this detritus of everyday life for the genetic information you’ve left behind. These third parties may be the police, and the regulation over their ability to collect this evidence is unclear. [Refuse has rights? Bob]

And the police aren’t the only people who are curious about your genetic information. Whether the victims are celebrities, private persons with secrets to keep, or just the targets of nosy third parties with bad intentions, if someone wants to collect and analyze another person’s DNA without consent, they can do so. Committing DNA theft is as easy a sending in a used tissue to a company contacted over the internet, and waiting for an analysis by email. A quick on-line search reveals many companies that offer “secret” or “discreet” DNA testing. The rapid proliferation of companies offering direct-to-consumer genetic testing at ever lower prices means that both the technology and motives exist for DNA theft.

Yet in nearly every American jurisdiction, DNA theft is not a crime. [Can you steal that which has been discarded? Bob] Rather, the nonconsensual collection and analysis of another person’s DNA is virtually unconstrained by law. This article explains how DNA theft poses a serious threat to genetic privacy and why it merits consideration as a distinct criminal offense.

You can download the full article on SSRN. Via the Markle Foundation, @tracyannkosa and @MarieAndreeW

Should a government have access to every citizens communications?

India rejects RIM’s encryption key suggestion

October 1, 2010 by Dissent

Ben Woods reports:

Indian authorities are unhappy with suggestions proposed by BlackBerry manufacturer Research In Motion in response to requests for access to encrypted device data, according to reports.

The Indian Economic Times suggested on Friday that Research In Motion’s (RIM) proposals were not satisfactory to the Department of Telecommunications (DoT). The proposals included DoT directly approaching enterprises to request encryption keys for the manufacturer’s smartphones.

In an internal memo seen by the newspaper, the Indian authorities noted that they were still unable to monitor or intercept email or instant messages sent through RIM’s encrypted BlackBerry Enterprise Server (BES).

Read more on ZDNet (UK)

(Related) Consider this a partial solution. At least my Computer Forensics students will be able to find more evidence...

BlackBerry's Encryption Hacked; Backups Now a Risk

Posted by Soulskill on Friday October 01, @12:51PM

"InfoWorld blogger Martin Heller reveals that a Russian passcode-breaker developer has broken the encryption used in BlackBerry backups. That can help recover data when passwords are lost, but also gives data thieves access to a treasure trove of corporate secrets. And the developer boasts that it was easier to crack the BlackBerry encryption than it was to crack Apple's iOS."

We like Behavioral Advertising but we're not sure what the rules should be.”

IAB retracts 48-hour retargeting cookie advice

October 1, 2010 by Dissent

Online advertising trade body the Interactive Advertising Bureau (IAB) has withdrawn a code of practice which recommended that behavioural advertising retargeting cookies should expire after 48 hours.

The IAB’s Affiliate Marketing Council (AMC) published the code last week. It applied to the practice of ‘retargeting’ web users who had visited a site with ads for that site on other people’s websites, using cookies to track their movements and activities.

The code of practice included some measures that were compulsory for IAB members involved in the practice, and some that were advisory.

That code has been withdrawn and will be reworked after further industry consultation, though, the IAB said. The code has disappeared from the IAB’s website.

Read more on Related: Retargeting creates significant rise in search

Cyber-War? You have to admit, it is cheaper than sending in the bombers. And it has the virtue of being deniable...

Stuxnet Analysis Backs Iran-Israel Connection

Posted by Soulskill on Friday October 01, @06:32PM

"Liam O'Murchu of Symantec, speaking at the Virus Bulletin Conference, provided the first detailed public analysis of the worm's inner workings to an audience of some of the world's top computer virus experts. O'Murchu described a sophisticated and highly targeted virus and demonstrated a proof of concept exploit that showed how the virus could cause machines using infected PLCs to run out of control. Though most of the conversation about Stuxnet is still based on conjecture, O'Murchu said that Symantec's analysis of Stuxnet's code for manipulating PLCs on industrial control systems by Siemens backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. O'Murchu noted that researchers had uncovered the reference to an obscure date in the worm's code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, was executed by the new Islamic government shortly after the revolution. Anti-virus experts said O'Murchu's hypothesis about the origins of Stuxnet were plausible, though some continue to wonder how the authors of such a sophisticated piece of malware allowed it to break into the wild and attract attention."

Symantec has also issued a lengthy and detailed dossier on Stuxnet (PDF).

I've gotta say something about this... The more sophisticated (read: complex) your algorithm, the more sophisticated your testing must be. This is highly accelerated economics, and the SEC rules that suspend or stop trading weren't ready for it.

SEC, CFTC blame algorithm for flash crash

WASHINGTON (MarketWatch) -- The Securities and Exchange Commission and Commodity Futures Trading Commission on Friday blamed two liquidity crises caused by a computer trading algorithm as the source of the “flash crash” on May 6 that rattled markets and investor confidence worldwide.

The report comes in the wake of the Dow Jones Industrial Average’s sudden drop of nearly 1,000 points on May 6. At one point that afternoon, the Dow dropped 481 points in six minutes and then had recovered 502 points just 10 minutes later.

Specifically, the report points to a large fundamental trader, which the report does not identify, that executed a large sell order using an automated execution algorithm at a time in the afternoon while the markets were already very stressed.

[The report is here:


Dissecting The Flash Crash

A quick read of the report’s executive summary finds that the original sell algorithm only managed to sell about 35,000 E-Mini contracts (worth about $1.9 bilion) of the 75,000 intended, but the flood of selling that the initial order sparked vastly overwhelmed demand until a trading pause was triggered at 2:45:28 p.m. on the Chicago Mercantile Exchange. When trading resumed five seconds later, the price of the E-Mini, and eventually the SPY, began to recover.

Tools for teachers? Competing with

How To Make Your Own Podcast For Free

Friday, October 01, 2010

A breach ain't a breach until we says it's a breach!”

Update on my FOI request to HHS/OCR for breach reports

By Dissent, September 30, 2010

I received a phone call from OCR this morning to discuss my FOI request for the breach reports HHS is receiving under HITECH regulations. I had requested electronic copies of the reporting forms breached entities submitted via HHS’s web site. The conversation was a bit of an eye-opener for me.

First, it turns out that they cannot give me many of the reports just yet, because under their policies, they treat each and every report as a self-reported complaint that requires an investigation for compliance with HIPAA’s privacy rule. Because investigations are not public while they are ongoing, anything the breached entity submitted would be exempt from production under FOI. Once the investigations are closed, however, then they can provide the records.

Slightly over one dozen cases reported since the new reporting went into effect in September 2009 have now been closed, and I will be sent those records very soon. It took a while to figure out whether I really wanted the full investigation records or just some summary documents. I decided that for now, getting the breach report and the closure letter would, in combination with the HHS/OCR web site entries, probably give me enough information to determine if particular breaches involved SSN or financial information, and what happened (how the breach occurred).

So stay tuned, and great thanks to OCR for their call and helpfulness. I will probably have to file a new FOI request each month for the rest of my life, but hey, at least now I understand the process and we will be getting more data.

Apparently, your cell phone is now a party line...

Many More Android Apps Leaking User Data

Posted by CmdrTaco on Thursday September 30, @01:30PM

"After developing and using TaintDroid, several universities found that of 30 popular free Android apps, half were sharing GPS data and phone numbers with advertisers and remote servers. A few months ago, one app was sending phone numbers to a remote server in China but today the situation looks a lot more pervasive. In their paper (PDF), the researchers blasted Google saying 'Android's coarse grained access control provides insufficient protection against third-party applications seeking to collect sensitive data.' Google's response: 'Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust.'"

You don't have to be a rocket scientist, but you do need to THINK!

Security doesn't have to be complicated

Last week, I wrote about two simple ways to thwart Web spies. One of the methods prevents Web sites from activating your PC's built-in video camera and microphone without your permission.

In a comment posted in response to that article, a reader by the screen name of "BirdDog01" supplied a foolproof solution to the video portion of that equation: put a piece of duct tape over the camera lens. Aesthetics aside, that approach is about as simple and straightforward as they come.

A video has been making the rounds lately that shows crooks installing a card-skimming device and video camera at an ATM in the U.K. (Lifehacker provides a link to the video along with several ATM-safety tips.)

The video shows several ATM users shielding the keypad with one hand as they enter their personal identification number (PIN) with the other. I've been aware of this scam for some time and consider myself a prudent, suspicious ATM user, but I never thought to cover the keypad. Doh!

But does he see what I see?

FTC Consumer Protection Head Shares New Vision for Consumer Privacy

September 30, 2010 by Dissent

David Vladeck, the head of the Bureau of Consumer Protection at the Federal Trade Commission, shared his vision for consumer privacy protection with an audience at the IAPP’s Privacy Academy on September 30, 2010.


Mr. Vladeck noted three key areas for future enforcement. The FTC will (1) bring more cases involving “pure” privacy, i.e., cases involving practices that attempt to circumvent consumers’ understanding of a company’s information practices and consumer choices; (2) focus enforcement efforts on new technologies (Mr. Vladeck noted that, to assist staff attorneys in bringing these sorts of cases, the FTC has hired technologists to assist and also have created mobile labs to respond to the proliferation of smart phones and mobile apps); and (3) increase international cooperation on privacy issues (Mr. Vladeck cited the FTC’s recently-announced participation in the Global Privacy Enforcement Network).

Read more about his presentation on Hunton & William’s Privacy and Information Security Law Blog.

Christopher Wolf also blogs about the presentation on Chronicle of Data Protection.

We don't need no stinking Congress!”

Even Without COICA, White House Asking Registrars To Voluntarily Censor 'Infringing' Sites

from the censorship-through-political-pressure? dept

While there's been increasing attention paid to the "Combating Online Infringement and Counterfeits Act" (COICA), the proposed law that would allow the government to require ISPs and registrars to block access to websites deemed to be "dedicated to infringing activities," it looks like the White House (which we had thought was against censoring the internet) appears to be working on a backup plan in case COICA doesn't pass.

That is, while most folks have been focused on COICA, the White House's Intellectual Property Enforcement Coordinator (IP Czar) Victoria Espinel has apparently been holding meetings with ISPs, registrars, payment processors and others to get them to agree to voluntarily do what COICA would mandate. While the meeting is carefully focused on stopping websites that sell gray market pharmaceuticals, if registrars start agreeing to censoring websites at the behest of the government, it's as if we're halfway to a COICA-style censorship regime already. ICANN, who manages the internet domain name system was asked to attend the meeting, but felt that it "was not appropriate to attend" such a meeting.

How 'geeky' do they need to be?

All Rise: Supreme Court’s Geekiest Generation Begins

The U.S. Supreme Court begins a new term Monday with a slew of technology and civil rights issues queued on its docket, some of which could have far-reaching implications for the Freedom of Information Act, copyright, warrantless searches of private residences, the “state secrets” privilege and freedom of expression.

The cases we’re tracking involve regulation of videogame sales, the limits of the Copyright Act’s first-sale doctrine and the power of the government to collect sensitive data on employees. Another case asks whether convicted defendants have a right to use modern DNA testing to prove their innocence.

Ruling on these issues is a rapidly changing high court, with four new appointees in five years, creating the youngest court in the modern, digital age.

“You’re getting a new generation of justices. You’ve got justices who text on their phones, who do e-mail, who actually use a computer,” says Thomas Goldstein, the SCOTUSblog founder who has argued nearly two dozen cases before the Supreme Court. “That can have real consequences. It makes a difference.”

Here is a summary of some of the upcoming cases that have been granted a hearing by the Supreme Court:

Costco Wholesale v. Omega, 08-1423

Oral argument Nov. 8

Question presented: Does the first-sale doctrine apply to imported goods manufactured abroad?

Schwarzenegger v. Entertainment Merchants Association, 08-1448

Oral argument Nov. 2

Question presented: May the states ban the sale or rental of violent video games to minors?

Skinner v. Switzer, 09000

Oral argument Oct. 13

Question presented: Do convicts have a right to post-conviction DNA testing?

National Aeronautics and Space Administration v. Nelson, 09-530

Oral argument Oct. 5

Question presented: How much personal information may the federal bureaucracy dig up about its workers?

Federal Communications Commission v. AT&T, 09-1279

Oral argument not scheduled

Question presented: The Freedom of Information Act exempts the government from disclosing law enforcement records if they “constitute an unwarranted invasion of personal privacy.” Does that personal exemption apply to a corporation, in this case AT&T?

Boeing Company v. United States and General Dynamics v. United States, 09-1298

Oral argument not scheduled

Question presented: Can the government claim a party owes it money while invoking the “state secrets” privilege to prevent a defense to that claim?

Kentucky v. King, 09-1272

Oral argument not scheduled

Question presented: Did Kentucky police, when first knocking on a suspected drug dealer’s door and then kicking it down, create their own emergency to bypass the need for a warrant to enter a private residence?

Hummm. Perhaps a student project? (A La Linus Torvalds?)

Linux May Need a Rewrite Beyond 48 Cores

Posted by CmdrTaco on Thursday September 30, @12:47PM

"There is interesting new research coming out of MIT which suggests current operating systems are struggling with the addition of more cores to the CPU. It appears that the problem, which affects the available memory in a chip when multiple cores are working on the same chunks of data, is getting worse and may be hitting a peak somewhere in the neighborhood of 48 cores, when entirely new operating systems will be needed, the report says. Luckily, we aren't anywhere near 48 cores and there is some time left to come up with a new Linux (Windows?)."

“'cause I may not be the most perfect teacher in the whole wide world?”

8 Awesome Websites to Take Free College Courses Online

MIT OpenCourseware

Carnegie Mellon OpenLearning

Khan Acadamy

University of California at Berkeley

Stanford University iTunesU

Tufts OpenCourseware

Open University LearningSpace

Johns Hopkins OpenCourseware

Since we're using Windows 7 now, it pays to learn some tricks...

25 Cool Windows 7 Keyboard Tricks That Will Impress Your Friends

Note that some of these shortcuts will only work if Windows Aero is enabled. If Aero effects are disabled on your computer, it might not be powerful enough to support resource intensive graphical features.

The following articles describe lots of additional keyboard tricks and shortcuts to make use of:

'cause you can never have enough free stuff...


DownloadSpy is a huge archive of free and free-to-try software programs for all operating systems. We review and categorize these products in order to allow the visitor to find the exact product they and their system needs.


The Lesser Known (But Very Cool) Windows Apps You Might Be Looking For

I've been asking my students to organize what they learn by using Wikis or Mind Maps. Perhaps it's time to go further?

5 Reliable Ways To Look For Freelance Writing Jobs

Thursday, September 30, 2010

Are they sending a message or will everyone be subject to fines for slow compliance? (I hope it is the latter...)

Did the punishment fit the “crime?” (the Lucile Salter Packard Hospital breach fines)

By Dissent, September 29, 2010

Jason C. Gavejian writes about a hospital breach that is causing waves because of the exorbitant fine the state imposed.

Lucile Salter Packard Children’s Hospital at StanfordUniversity was fined $250,000 earlier this year by the California Department of Public Health (“CDPH”) for an alleged delay in reporting a breach under California’s health information privacy law. What makes this fine particularly disconcerting for health care providers is the relatively small number of patient records which were subject to the breach when compared to the considerable fine imposed. [It's not how many patients were involved, it's your failure to protect your records! Bob] For employers generally, this fine could establish a timing and penalty standard which is examined and utilized by other adminstrative entities.

Personally, I think the significant issue/concern is not the number of patients affected (532) but the time issue. The hospital had confirmed that PHI were on the stolen computer by Feb. 1. Under California’s law, the state’s position is that the hospital had five (5) business days from that point to notify both the state and affected patients. The hospital, however, did notify the state or affected patients until February 19 — after it confirmed that it could not recover the computer.

CDPH informed the hospital of the fine due to the reporting of the incident 11 days late on April 23, 2010. It is unclear if the fine was tied to a failure to notify the affected individuals or the CDPH. The hospital is appealing the fine asserting its communication to CDPH was appropriate given that no unauthorized or inappropriate access took place to require it to notify affected individuals.

As much as I empathize with the hospital, the statute does not appear to be give them wiggle room on this:

A clinic, health facility, home health agency, or hospice to which subdivision (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the department no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice.

Does stealing a computer provide “unlawful access” to the patients’ records? If so, it seems to me that the clock started running on Feb. 1. I understand the hospital’s view and I understand that the stolen computer had software that enabled the hospital to know that it had not been turned on, but there is nothing in the statute that would seemingly toll the deadline for that.

CDPH’s report can be found here (pdf).

This incident highlights the seriousness of potential data breaches, regardless of size, and the urgency with which these situations must be addressed. It also highlights an often asked question as to whether laptops that go unrecovered would constitute unauthorized access or acqisitiion (sic) of protected information.

I think the answer is obvious: if an entity loses control of a device that contains unsecured PHI, it may or may not have been acquired by someone, but if you know it was stolen, then it was acquired. Whether it will ever be accessed or not is another question, but entities need to err on the side of caution and assume the worst and notify promptly.

The HIPAA regulations also shed light on this issues stating, “if a computer is lost or stolen, we do not consider it reasonable to delay breach notification based on the hope that the computer will be recovered.”

Agreed. Whether the fine should be this steep is another matter, though. I personally think it’s quite harsh.

Read Jason C. Gavejian’s full commentary without my interspersed remarks on Workplace Privacy Data Management & Security Report.

Now this is an interesting legal argument – even if it only applies to Napoleon.

Oui, Defamation Can be Automatic

September 30, 2010 by Dissent

Marie-Andrée - who unlike this blogger can actually speak French and is a lawyer to boot – provides a commentary and explanation of a recent French court ruling that Eric Schmidt was guilty of defamation because of Google Suggest results. She writes, in part:

The Court noted that “algorithms or software solutions proceed from the human mind before being implemented.” The court also doubted the purely automatic character of the search results, as results were not the same on “Google Suggest” and “Recherches Associées” (associated research), which is a list of suggested research made to users, based on their original search terms. Results were not the same on the Yahoo search engine either. Therefore, the Court expressed doubt about the technological neutrality of the results.

The Court also noted that “not all research terms entered by Internet users are taken into account by the Google search engine in order. One of Google’s exhibits in the September 2010 case was a statement by Google that “[it] appl[ies] a limited set of policies regarding removal of pornography, violence and hatred”, which, according to the French Court, “confirms the possibility of at least a retrospectively human intervention capable of preventing the most obvious damage related to the search features at stake.”

Read her full commentary on Online Reputation and the Law.

[The article concludes:

It seems that if Mr. Schmidt could have proven the neutrality of the algorithm, he could have won the case. However, in order to prove neutrality, it would have been necessary for Google to discard any voiced concerned of its users, and to avoid complying with their requests to suppress offensive terms. Probably not a good result for society.

Someone wants to slap Big Brother's wrist! (and Big Brother know who he is and where he lives and works and what roads he takes to work and what medications he takes and... )

EU takes UK to court over internet privacy

September 30, 2010 by Dissent

The UKPA reports:

The European Commission is taking the UK to court for breaking EU rules on safeguarding internet privacy.

The move follows complaints to the Commission from British internet users that they have been targeted by advertisers based on an analysis of their “internet traffic”.

A Commission statement said it first launched legal proceedings in April last year amid concerns about how the UK authorities dealt with citizens’ concerns over the use of “behavioural advertising” by internet service providers.

The complaints were handled by the UK Information Commissioner’s Office, the UK personal data protection authority and police forces responsible for investigating cases of illegal interception of communications.


As Chris Williams of The Register tells it:

The European Commission is suing the UK government over authorities’ failure to take any action in response to BT’s secret trials of Phorm’s behavioural advertising technology.

The Commission alleges the UK is failing to meet its obligations under the Data Protection Directive and the ePrivacy Directive.

The action follows 18 months of letters back and forth between Whitehall and Brussels. The Commssion demanded changes to UK law that have not been made, so it has today referred the case to the European Court of Justice in Luxembourg.

Read more in The Register.

California law protects drivers’ locational privacy

September 30, 2010 by Dissent

One of the bills Governor Schwarzenegger has signed into law is SB 1268, another privacy-centric bill by Democratic Sen. Joe Simitian. Under the new law, drivers who use who use FasTrak or other automatic systems to pay tolls for bridges and roads (like the EZPass system on the east coast) will now have their records protected. The state cannot sell or share the data, which would include the location of the car identified by the FasTrak, and the time it was used.

The bill also requires purging of the data [I think that's a first. Bob] if not needed for law enforcement purposes.

In a press release issued yesterday, Senator Simitian said

Less well-known is the fact that the FasTrak cards are read by traffic monitoring systems throughout the Bay Area and elsewhere in the state to measure traffic congestion. Cameras that photograph license plates are also used to ensure tollpayer compliance by all drivers, even those who choose to pay by cash rather than use FasTrak.

“The net result,” says Simitian, “is that relatively obscure transportation agencies have personal data and travel histories for well over a million Californians, with no real meaningful legal protection from misuse of or inappropriate access to the data.”

Senate Bill 1268 becomes law Jan. 1, 2011.

This seems to be the hot trend for law firms – law suits as extortion? Perhaps this will translate to Software Patent trolls as well?

EFF Sues Newspaper Chain’s Copyright Troll

Righthaven, the Las Vegas-based copyright troll, may have sued one website too many. The Electronic Frontier Foundation hit the company with a lawsuit Monday alleging Righthaven is abusing copyright law by suing for excerpting or posting newspaper articles without permission.

Law firm Righthaven was formed earlier this year for the sole purpose of suing for copyright infringement. So far, its main client, Stephens Media, has publicly authorized it to sue the operators of 145 internet sites on behalf of its flagship paper, the Las Vegas Review-Journal.

San Francisco’s EFF, which has been shopping for one of the cases to take, has agreed to defend user-generated Democratic Underground, a site that says it provides “political satire and commentary for Democrats.”

It’s also filed a countersuit claiming Monday that Righthaven is a “front and sham representative” of Stephens Media with a sole mission “to seek windfall recoveries of statutory damages and to exact nuisance settlements.”

Since Righthaven was formed this spring, it has settled about 20 percent of its lawsuits for a few thousand dollars each. Righthaven even demands forfeiture of the a site’s domain, which likely fuels settlements from site owners who don’t have a lawyer or who conclude that legal fees would be more onerous than settling, said Kurt Opsahl, an EFF senior staff attorney.

Democratic Underground is being sued for a user of the site last month posting four paragraphs and a link to a 34-paragraph Review-Journal story on Sharron Angle, the Republican Nevada candidate for Senate entitled “Tea party fuels Angle.”

Opsahl claimed the site had a fair-use right to the four paragraphs. It was posted for discussion and commentary, not for commercial gain. The article, he said, is freely available on the Review Journal’s website, which encourages readers to share it via Facebook, Twitter, e-mail and by other means.

“We don’t think they should have filed this lawsuit in the first place,” Opsahl said.

At the very least, Righthaven should have requested that the site remove the disputed content, Opsahl said.

Interesting mash-up of maps and demographic information.

Revealed: The maps that show the racial breakdown of America’s biggest cities

Using information from the latest U.S. census results, the maps show the extent to which America has blended together the races in the nation’s 40 largest cities.

With one dot equalling 25 people, digital cartographer Eric Fischer then colour-coded them based on race, with whites represented by pink, blacks by blue, Hispanic by orange and Asians by green.

[All the maps are here:

Perhaps publishers shouldn't view the Kindle as a competitor?

In Study, Children Cite Appeal of Digital Reading

Many children want to read books on digital devices and would read for fun more frequently if they could obtain e-books. But even if they had that access, two-thirds of them would not want to give up their traditional print books.

… About 25 percent of the children surveyed said they had already read a book on a digital device, including computers and e-readers. Fifty-seven percent between ages 9 and 17 said they were interested in doing so.

Only 6 percent of parents surveyed owned an e-reader, but 16 percent said they planned to buy one in the next year. Eighty-three percent of those parents said they would allow or encourage their children to use the e-readers.

… The report also suggested that many children displayed an alarmingly high level of trust in information available on the Internet: 39 percent of children ages 9 to 17 said the information they found online was “always correct.”

Another bauble to beguile my Statistics class (Might be fun to have them build one)

Incredibly Depressing Mega Millions Lottery Simulator!

Qwiki will let you sign up for their Alpha release... I did.

Qwiki Just May Be The Future Of Information Consumption. And It’s Here Now.

To be clear, Qwiki isn’t a piece of hardware. Instead, it’s a piece of software meant to run on the web and as an app on mobile devices. What it does is present to you data about millions of topics in an extremely interesting and visual way. Imagine if someone created a movie highlight reel of Wikipedia pages — that’s sort of what Qwiki is like. You search for something — a topic, a person, etc — and Qwiki talks to you, telling you all you need to know about what you searched for, while also showing you key things about the subject or person.

Something for my new tech students. Not every free app, but several that will be useful for my website class and others. - A Swift Way To Install Free Software

Found at, the Free Apps website does something which is so useful that you are just left wondering why sites providing comparable services are not released at a more constant rate.

This site will come in handy when you have had to reformat your HD, or when a friend has just bought a computer and he needs the guidance of someone who knows a lot about applications that are substantially good. Well, on this site you will be able to individualize these applications one by one, and have Free Apps handle the entire installation process.

In both examples, this is a killer application in itself. In the first case, you are freed from having to oversee a lengthy installation process. And the same applies when it comes to installing software for a friend. You won’t even have to go to his house. You can tell him what he needs and where to find it. Free Apps will take caring of installing it all for good.

Another site for my website students and no, it's not for wasting time playing games on the school computers... (look at their code, see how they do it, do it yourself)

HTML5games: Play HTML5 Games Online

HTML5games is exactly what its name suggests: a collection of games that run on the HTML5 platform. Although relatively new, the website features a number of impressive games including Asteroids, Chess, Knifetanks, and Pac-man. Each game carries a description and rating with itself.

Similar tools: CloudCanvas and Aloha-Editor.

Wednesday, September 29, 2010

All in all, Heartland has responded well to their breach. Therefore I'm inclined to believe this indicates how difficult it is to implement encryption on large numbers of devices at customer sites rather than any great reluctance on Heartland's part..

Heartland Payment Systems bolsters encryption

September 28, 2010 by admin

Ellen Messmer reports:

Heartland Payment Systems, which last year suffered a devastating data breach, has been on a mission to secure payment-card processing .

After introducing the E3 terminal for point-of-sale transactions last May, which has gone into use with about 5,000 Heartland merchant customers for encryption of sensitive cardholder data, Heartland Tuesday introduced yet another encryption device, called the E3 magnetic stripe reader wedge, which will be available next month.

Read more about how the E3 wedge works on Network World.

It's one thing if a small business has an existing wire transfer relationship with the bank. It's something else when the crooks can open one for you!

Wire-transfer fraud poses a growing problem

September 29, 2010 by admin

Doreen Hemlock filed this report last week:

Identity theft takes many forms, but Lenny Vigliotti never imagined it would show up as somebody wiring $12,000 from his South Florida saving account through multiple banks to end up in the Ukraine.

Nearly three months after he noticed the money missing, he’s yet to recoup the cash. As investigations proceed, he’s found out there’s a chance he may never get those savings back either.

Rules governing wire transfers place a larger burden on account holders than laws on credit cards or debit cards, Vigliotti has learned. And his Fort Lauderdale bank says he may not have met required security requirements on his computer system — even though he has secured wireless, firewalls, anti-virus software and other protection — and so, the bank may not be liable to pay him back.

“They say someone got into my computer, not their system,” said Vigliotti, a Hollywood resident. “But my point is: If you know fraud is a problem, and you see an account that has never had wire-transfers before, how do you let someone with a fax take out thousands of dollars without checking? All they needed to do was call me and ask: Are you applying for wire transfers? And I would have said: What are you talking about?”

Read more in the Orlando Sentinel.

I’m not sure why the reporter didn’t name the bank. Isn’t it newsworthy and wouldn’t other bank customers want to know that this is how the bank responds to its customers? Did the bank do enough to authenticate before making the transfer? [Isn't it obvious that they did not? Bob] The customer says ‘no,’ and many of us would likely agree with him:

The bank said it had received an authorization by fax to withdraw the money with a signature, phone number and fax number, which Vigliotti said were not his.

Unintended consequences?

US Gov't Assisted Iranian Gov't Mobile Wiretaps

Posted by CmdrTaco on Tuesday September 28, @04:27PM

bdsesq sent in a story on Ars Technica highlighting how the US government's drive for security back doors has enabled the Iranian government to spy on its citizens.

"For instance, TKTK was lambasted last year for selling telecom equipment to Iran that included the ability to wiretap mobile phones at will. Lost in that uproar was the fact that sophisticated wiretapping capabilities became standard issue for technology thanks to the US government's CALEA rules that require all phone systems, and now broadband systems, to include these capabilities."


Crypto Wars: EFF Urges Us To Stand Up and Defend Privacy

The disturbing news today is that the government intends to expand its ability to surveill us by putting government-mandated back doors in all communications systems and in all encryption software. [The previous article suggest they already have... Bob]

… Charlie Savage of The New York Times described how U.S. feds claim "that their ability to wiretap criminal and terrorism suspects is 'going dark' as people increasingly communicate online instead of by telephone." In fact, federal law enforcement and national security officials want Congress "to require all services that enable communications — including encrypted e-mail transmitters like BlackBerry, social networking Web sites like Facebook and software that allows direct 'peer to peer' messaging like Skype — to be technically capable of complying if served with a wiretap order. The mandate would include being able to intercept and unscramble encrypted messages." [..and that's the kicker. Bob]

Is California moving toward the kind of 'preemptive injunction' soccer players can get in the UK? (Did this law just make Identity theft a misdemeanor?)

California bans malicious online impersonation

September 28, 2010 by Dissent

Robert McMillan reports:

A new law makes it illegal in California to maliciously impersonate someone online.

On Monday California Governor Arnold Schwarzenegger signed the law, which makes it a misdemeanor in the state to impersonate someone online for “purposes of harming, intimidating, threatening, or defrauding another person.”

The bill’s author, State Senator Joe Simitian, said that Senate Bill 1411 brings California’s impersonation laws into the 21st century by addressing “the dark side of the social networking revolution.”

Read more on Computerworld.

This is similar to Australia's ruling earlier this week. Should the US follow suit?

India amends telecom rules over security fears

September 28, 2010 by admin

India’s Department of Telecommunications has amended the telecom licensing rules for national and international long-distance operators, asking them to address security concerns on their networks.

Telecom companies offering national and international long-distance communications services must now have a “well-outlined organizational policy on security and security management of their networks and shall be completely and totally responsible for security of their networks.”

The changes were made effective by the Department of Telecommunications–the licensing body for telecom services in India–through an amendment dated Aug. 11, a copy of the changed rules on the department’s website showed Tuesday.

Read more on MarketWatch.

Related: Expansion of Telecom Services in various zones of the country


India Launches Project to ID 1.2 Billion People

September 29, 2010 by Dissent

Amol Sharma reports:

India’s vaunted tech savvy is being put to the test this week as the country embarks on a daunting mission: assigning a unique 12-digit number to each of its 1.2 billion people.

The project, which seeks to collect fingerprint and iris scans from all residents and store them in a massive central database of unique IDs, is considered by many specialists the most technologically and logistically complex national identification effort ever attempted. To pull it off, India has recruited tech gurus of Indian origin from around the world, including the co-founder of online photo service Snapfish and employees from Google Inc., Yahoo Inc. and Intel Corp. [Did their employers allow them to participate in exchange for the knowledge they would gain? Bob]

Read more on WSJ

When will these parents learn that the government knows best? “Besides, we need to train the little bastids how to knuckle under to authority.”

Parents sue Springfield schools over lockdowns and searches

September 29, 2010 by Dissent

Chris Coughlin reports:

Parents sued the Springfield Public Schools, saying the repeated “mass lockdowns of public schools,” during which sheriff’s officers search virtually everything – backpacks, lockers, and students’ bodies, if the police dogs “alert” on them – are unconstitutional. When the parents complained, they say the school board said it was their “policy” to conduct five such lockdowns a year, though there was no probable cause for them.


When the Burlisons complained about the lockdown and warrantless searches, a publicist for the school district “publicly announced that the ‘lockdown’ and searches were a ‘standard drill’ and not prompted by any incident that had occurred at Central High School. The spokesman also announced that it was the intent and policy of defendants SPS to conduct similar ‘lockdowns at all SPS high schools.”

Read more on Courthouse News, where you can also read the complaint.

“Hey, If you don't like it, remember that we have the death penalty and are not reluctant to use it!”

Texas state health agency sells — or gives away — patient data

By Dissent, September 28, 2010

If you’ve ever been in hospitalized in Texas, do you know who has bought or obtained your patient data?

Okay, this is mind-boggling. Truly. Even though I know that patient information is sold a lot, what’s going on in Texas seems really appalling.

First read this investigative report by Suzanne Batchelor of the Austin Bulldog. Here’s part of it:

Texas hospital-patient data for the years 1999 through 2003 are available at no charge. [So, I could get it for my Statistics class? Bob] Data for the years 2004 through 2009 must be purchased, but the cost is minimal for a commercial user (more about that later).

The hospital-patient Public Use Data Files contain more than 200 fields of information, naming everything from your insurance coverage, or lack of it, to whether or not your stay included placement of a heart stent, “sterilization,” “abortion performed due to rape,” or a drug- or alcohol-related diagnosis, along with what tests you got and when, and what medications you received.

Buyers may order one of two versions of the hospital-patient files.

Research version—This version of the Public Use Data Files contains complete personal information including date of birth, date of admission and discharge, and the patient’s full address.

De-identified version—For this version DSHS has removed some but not all personal information, in a privacy protection process called “de-identification.” DSHS removes the patient’s dates of admission and discharge from the hospital, but leaves in the dates of diagnoses, treatments, medications, and payments. A four-year age range is substituted for the patient’s exact age, and the street address is removed. The de-identified version includes the patient’s gender and full zip code in most cases.

After you read the full investigative report — and do read it all to learn who’s been buying your identifiable patient data for “research” purposes — then trot on over to the state’s site and prepare to breathe into a brown paper bag when you see this offer for sale:

The data files for 2009 include 255 data fields in a base data file and 13 data fields in a detailed charges file. Data files for years before 2004 include only 205 data fields.

As I read the report and looked at the site, I kept thinking about Professor Paul Ohm’s ”database of ruin.” If you’ve been hospitalized in Texas, you may be closer to ruin than you know.

Over on Patient Privacy Rights, Dr. Deborah Peel has also blogged about this investigative report and urges members of the public to sign the “Do Not Disclose” petition.

Once upon a time, the sheriff could identify criminals because they looked “shifty”

Behavioral biometrics to detect terrorists entering U.S.

September 29, 2010 by Dissent

Fingerprinting air passengers entering the United States is one counter-terrorism method used today. DHS, however, has another idea in the works: a behavioral biometrics monitoring system that gauges small changes in a person’s body, dubbed the “fidget factor,” especially in answer to a question such as “Do you intend to cause harm to America?”

Ellen Messmer writes that DHS has actually developed a prototype for putting subjects on a monitoring pad next to a battery of remote-sensing equipment that can very quickly measure ocular changes, heart, and respiration rates and even slight changes in the skin’s thermal properties as a way to detect suspicious behavior. [Or maybe they just need the bathroom? Bob] Dr. Starnes Walker, director of the research at the Science and Technology Directorate (S&T) at the DHS, discussed the effort during a keynote address at last week’s Biometric Consortium Conference in Tampa.

Read more on Homeland Security Newswire.

Not ready for prime time, though? See Automated Biometric Recognition Technologies ‘Inherently Fallible,’ Better Science Base Needed.

Inevitable? How could individuals respond?

UK's Two Biggest ISPs Rip Up Net Neutrality

Posted by CmdrTaco on Tuesday September 28, @02:59PM

"The UK's two biggest ISPs have openly admitted they'd give priority to certain internet apps or services if companies paid them to do so. Speaking at a Westminster eForum on net neutrality, senior executives from BT and TalkTalk said they would be happy to put selected apps into the fast lane, at the expense of their rivals. Asked specifically if TalkTalk would afford more bandwidth to YouTube than the BBC's iPlayer if Google was prepared to pay, the company's executive director of strategy and regulation, Andrew Heaney, argued it would be 'perfectly normal business practice to discriminate between them.' Meanwhile, BT's Simon Milner said: 'We absolutely could see a situation when content or app providers may want to pay BT for quality of service above best efforts,' [What, exactly, is “better than best?” Bob] although he added BT had never received such an approach."

Is it Censorship or does Google just want to avoid “recommending” certain topics? Strangely, “Republican” isn't on their list. But “Pamela Anderson?” Really?

Seven Words You Can't Say On Google Instant

Posted by timothy on Wednesday September 29, @05:03AM

"Back in 1972, Georgle Carlin gave us the Seven Words You Can Never Say on Television. Thirty eight years later, Valleywag reports on The Definitive List of Words Google Thinks Are Naughty. You've probably noticed how the new Google Instant tries to guess what you're searching for while you type — unless it thinks your search is dirty, in which case you'll be forced to actually press ENTER to see your results. Leave it to the enterprising folks at 2600 to compile an exhaustive list of words and phrases Google Instant won't auto-search for."

This is interesting for those of us who use this Microsoft Office alternative... Declares Independence From Oracle, Becomes LibreOffice

Posted by CmdrTaco on Tuesday September 28, @10:42AM

"The Project has unveiled a major restructuring that separates itself from Oracle and that takes responsibility for OpenOffice away from a single company. From now on, OpenOffice's development and direction will be decided by a steering committee of developers and national language project managers. Driving home the changes, the project is now The Document Foundation, while the suite has been given the temporary name of LibreOffice."

This should start some lawsuits flying...

Chinese 'Apple Peel' Turns iPods Into iPhones

Posted by timothy on Wednesday September 29, @04:00AM

"The Apple Peel 520, a Chinese-developed product that drew the media's attention for being able to turn an iPod Touch into an iPhone-like device, is coming to America. The add-on device, which just went on sale in China, has been billed as a more affordable option for users wanting to get their hands on an iPhone, but lack the budget."


Pinger Now Turns Your iPod Touch Into A Free Cell Phone

Earlier this month we took a look at Pinger, the company behind Textfree, a massively popular application for the iPhone and iPod Touch that gives users free, unlimited text messaging.

… And today at TechCrunch Disrupt, the company is announcing that it’s venturing into new territory: voice calls.

Textfree will soon include a true SIP-based VOIP client that works over both 3G and Wifi.

For my Statistics class. Nothing is certain (even the “obvious”) until you measure it and even then you can only be so “confident.”

September 28, 2010

Pew Forum: U.S. Religious Knowledge Survey

U.S. Religious Knowledge Survey, POLL - September 28, 2010

  • Executive Summary: "Atheists and agnostics, Jews and Mormons are among the highest-scoring groups on a new survey of religious knowledge, outperforming evangelical Protestants, mainline Protestants and Catholics on questions about the core teachings, history and leading figures of major world religions. On average, Americans correctly answer 16 of the 32 religious knowledge questions on the survey by the Pew Research Center’s Forum on Religion & Public Life. Atheists and agnostics average 20.9 correct answers. Jews and Mormons do about as well, averaging 20.5 and 20.3 correct answers, respectively. Protestants as a whole average 16 correct answers; Catholics as a whole, 14.7. Atheists and agnostics, Jews and Mormons perform better than other groups on the survey even after controlling for differing levels of education."

(Ditto) Perhaps we don't know everything we think we know?

Texting while driving bans don't work, may actually hurt, study finds

I use the Download Helper add-on and really find it useful.

Capture Streaming Video From Any Website With These 5 Tools