I'd like to believe this is evidence of a trend: governments not satisfied with vague statements like “We suffered an intrusion...” Should a full “Autopsy” be provided to the government as part of the mandator breach reporting?

http://www.databreaches.net/?p=18062

Taipei demands answers from Sony, threatens fines

April 29, 2011 by admin

Ralph Jennings reports:

The city of Taipei is demanding that Sony provide details about any leak of PlayStation Network user data following an intrusion last week or face fines.

As pressure mounts internationally against Sony over the failure of its PlayStation Network online gaming service, the Taiwan capital’s Law and Regulation Commission said late on Thursday it had sent the Japanese company a letter asking it to explain the incident “from start to finish” and any proposed follow-up measures.

The letter was sent on Wednesday and gives Sony 10 days to respond. If it fails to reply in time, it would be fined between NT$30,000 (US$1044) and NT$300,000 for alleged breaches of local consumer protection laws, the commission said in a statement.

Read more on PCWorld.

(Related)

http://thehill.com/blogs/hillicon-valley/technology/158447-house-members-grill-sony-on-data-breach

House members grill Sony on data breach

Rep. Mary Bono Mack (R-Calif.), chair of the Energy and Commerce Trade subcommittee, and ranking member Rep. G.K. Butterfield (D-NC), wrote to the company with a 13 questions about the incident.

They said it would help inform the subcommittee's work on data protection. Bono Mack is preparing data protection legislation and will hold a hearing next week on the Sony breach.

… They also asked why Sony can't rule out the possibility that credit card numbers were obtained. "Please explain…why you cannot determine if the data was in fact taken," the lawmakers said.

[The letter: http://graphics8.nytimes.com/packages/pdf/technology/20110428-sony-letter.pdf

For my Computer Security students, who weren't quite sure what a “land line” phone was...

http://www.makeuseof.com/tag/rise-smartphone-snooping-check/

The Rise Of Smartphone Snooping & How To Check For It

Snooping on computers has been a problem for decades. The so-called Trojan Horse, malware that gives a hacker access to a PC without the owner’s permission, has been around since the 80′s. Keyloggers are another area of concern, and have been given some attention in the popular media from time to time. But whatever you call it, snooping on a PC is an accepted risk, and one users often look out for.

But what about your smartphone? Modern devices are essentially tiny PCs that also make phone calls, and the potential negative effects of Smartphone snooping could be much worse. Smartphones transmit location data and store lists of everyone you know, along with their phone numbers. Obviously, this information shouldn’t be in the wrong hands, but what can you do to prevent Smartphone snooping?

NOW do you see how much fun it is to write Acceptable Use policies?

http://www.pogowasright.org/?p=22632

Ninth Circuit Holds That Violating Any Employer Restriction on Computer Use “Exceeds Authorized Access” (Making It a Federal Crime)

April 29, 2011 by Dissent

Orin Kerr writes:

I had though the world was safe from the nuttiness of the Justice Department’s broad theories of the Computer Fraud and Abuse Act in the Lori Drew case. Not so. Readers may recall I once blogged about a similar case, United States v. Nosal, that raised similar issues in the context of an employee who breached his employer’s written restrictions on computer use. What I didn’t realize is that DOJ appealed a district court’s order in Nosal and brought the issue to the Ninth Circuit.

In a divided opinion today by Judge Trott, joined by Judge O’Scannlain, United States v. Nosal, the Ninth Circuit held that “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employer’s computer access restrictions — including use restrictions.”

Read more on The Volokh Conspiracy.

The Internet of Things. RFID is too cheap not to track everything.

http://idle.slashdot.org/story/11/04/29/1550220/Hotel-Tracks-Towels-With-RFID-Chips?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Hotel Tracks Towels With RFID Chips

"An unnamed hotel is now putting RFID tags in their towels: 'The Honolulu hotel (the hotels have asked to remain anonymous, just to keep you guessing) says it was taking a bath to the tune of 4,000 pool towels per month, a number that it has reduced to just 750 (a savings of $16,000 per month). And that's just at the pool.' It's unclear what they do if the towel flies to the Midwest."

[From the article:

Three hotels in Honolulu, Miami, and NYC have employed a new kind of washable RFID tag to keep you from stealing their towels, linens, and plush terrycloth bathrobes.