Thursday, April 28, 2011

Of course. Just because the Japanese have more US dollars and make most of our cars does not mean they understand American law or culture.

Sony sued for PlayStation Network data breach

Like clockwork, the first lawsuit resulting from the security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed.

The suit was filed today on behalf of Kristopher Johns, 36, of Birmingham, Ala., in the U.S. District Court for the Northern District of California. Johns accuses Sony of not taking "reasonable care to protect, encrypt, and secure the private and sensitive data of its users."

He also believes Sony took too long to notify him and other customers that their personal information had been exposed. Because of that, the complaint alleges, Sony did not allow its customers "to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions."

The lawsuit is asking for monetary compensation and free credit card monitoring, and is seeking class action status.


Are fraud reports related to Sony breach?

Reports are trickling out from Sony PlayStation Network users about recent fraudulent charges on the credit cards they used for the PlayStation service. But it can't be substantiated at this time whether the fraud is a result of the data breach at Sony, and the timing of the reports could be coincidental.

… The company has not said how the breach happened and says there is "no evidence" that credit card information was compromised, but it advised customers to monitor their credit cards for erroneous charges anyway. [Not exactly the same as “We have evidence that credit card information was not taken...” In fact, this could be interpreted as, “We have no evidence at all.” Bob]

Update 5:28 p.m. PT: Sony released an FAQ blog post today that said credit card data was encrypted and separate from the other data, which was not encrypted but was "behind a very sophisticated security system that was breached in a malicious attack."

Another “Oops!” Think of it as an error on the back office players.

Yankees Accidentally Leak Personal Info Of 20,000 Season Ticket Holders

April 28, 2011 by admin

Barry Petchesky writes:

The New York Yankees accidentally distributed a file containing information on more than 20,000 season ticket accounts. The spreadsheet contains account numbers, names, addresses, phone numbers, and email addresses, and was mistakenly sent to thousands of current clients.

Precisely 21,466 season ticket plans are listed in the document, representing all of the “non-premium” seats that make up the vast majority of Yankee Stadium, excluding only the suites and the first few rows in the infield.

Read more on DeadSpin, where you can also read the email the Yankees sent all ticket-holders.

Less impactive than a Class Action suit, but still something to be avoided.

TX: Comptroller heads to court after security breach

April 27, 2011 by admin

John A. Salazar reports:

The Texas Comptroller faces her first legal hurdle after a year-long privacy breach resulted in the online exposure of 3.5 million Texans’ private information.

The Texas Civil Rights Project and Austin attorney Jim Harrington filed a petition against Comptroller Susan Combs in District Court.

The petition asks for Combs to go on record and answer 14 specific questions about how the privacy breach could have happened. Even if all 14 questions are answered, attorneys who filed the petition have little faith Combs can make matters better.

Read more on YNN.

[From the article:

"It's a question of incompetence on the part of the comptroller, clearly,” Harrington said. “But it's also a question of how do you undo this terrible breach of privacy that occurred."

Interesting. You have to reveal your UserID and passwords...

Greplin: 1.5 Billion Documents Indexed, Six Engineers

Late last year we first mentioned Y Combinator startup Greplin – it’s a startup that indexes your social stuff in the cloud, making all your Facebook, Gmail. LinkedIn, Google Calendar, Evernote, Twitter, Dropbox and just about everything else searchable. The easiest way to describe it is “the other half of search.”

They opened their doors to customers in February. The company won’t talk about total user numbers yet, which isn’t surprising. But we have dug one interesting data point out of founder Daniel Gross – They’ve now indexed some 1.5 billion documents. And they’re indexing about 30 million new documents per day.

What this means – when you join Greplin you authorize it to index various social apps and services. A typical user may sign up and start off by authorizing Greplin to index Facebook, Twitter and Gmail, for example. Greplin then grabs everything in those services – all your Facebook messages and updates, all your Twitter updates and DMs, all your Gmail messages back and forth, etc. , and lets you search them. When you add up all those documents for all users, you get to that big number, 1.5 billion.

To put this into perspective, that’s about the size of Google’s web-wide index in 2001. Or 60 times the size of Google’s original 1998 index of 25 million documents.

On the daily side, Greplin’s 30 million new documents a day is about 25% of Twitter’s current load (and Twitter gets off easy with 140 character documents). It’s not an apples to apples comparison, but it gives you some idea of the scale that they’re already reaching. And remember, they launched in February.

Yesterday it was DHS. Today the FBI. Maybe we need to hire some 8-year-olds? (What do you bet the FBI uses this to justify requests for a massive budget increase?)

Report Critical of FBI Cybercrime-Fighting Ability

"Despite a push to bulk up its security expertise, the FBI in some case lacks the skills to properly investigate national security intrusions. That was one of the major conclusions found in the U.S. Department of Justice inspector general audit of the FBI's ability to address national security cyberthreats today. The DOJ looked at 10 of the 56 FBI field offices and interviewed 36 agents. Of those interviewed, 13 'lacked the networking and counterintelligence expertise to investigate national security intrusion cases.'"

(Related) If you got a letter from the DOJ or FBI (surely they won't be knocking on your door...) would you feel comfortable refusing their “request?”

Feds To Remotely Uninstall Bot From Some PCs

"Federal authorities will remotely uninstall the Coreflood botnet Trojan from some infected Windows PCs over the next four weeks. Coreflood will be removed from infected computers only when the owners have been identified by the DOJ and they have submitted an authorization form to the FBI. The DOJ's plan to uninstall Coreflood is the latest step in a coordinated campaign to cripple the botnet, which controls more than 2 million compromised computers. The remote wipe move will require consent, and the action does does come with warnings from the court that provided the injunction against the botnet, however. 'While the 'uninstall' command has been tested by the FBI and appears to work, it is nevertheless possible that the execution of the 'uninstall' command may produce unanticipated consequences, including damage to the infected computers,' the authorization form reads. FBI Special Agent Briana Neumiller said, 'The process does not affect any user files on an infected computer, nor does it ... access any data on the infected computer.' The DOJ and FBI did not say how many machines it has identified as candidates for its uninstall strategy, but told the judge that FBI field offices would be notifying affected people, companies and organizations."

(Related) Okay, perhaps the US isn't the only country with Computer Security “issues”

Does China's Cyber Offense Obscure Woeful Defense?

"The official line in Washington D.C. is that there's a new Cold War brewing, with an ascendant China in the place of the old Soviet Union, and cyberspace as the new theater of war. But work done by an independent security researcher suggests that the Chinese government is woefully unprepared to fend off cyber attacks on its own infrastructure."

The apparent strategy is: Do whatever brings in a bunk, then say “Oops!” Why not go the extra step and replace Speed Cameras with constant speed monitoring?

TomTom apologies for giving customer driving data to cops

April 27, 2011 by Dissent

Dan Goodin reports:

Navigation device maker TomTom has apologized for supplying driving data collected from customers to police to use in catching speeding motorists.

The data, including historical speed, has been sold to local and regional governments in the Netherlands to help police set speed traps, Dutch newspaper AD reported here, with a Google translation here. As more smartphones offer GPS navigation service, TomTom has been forced to compensate for declining profit by increasing sales in other areas, including the selling of traffic data.

Read more in The Register.

(Related) Apple realized they don't need to store a year's worth of location data on your phone, since your phone sends them the data every few minutes. OR perhaps they overdo it so they can look good by removing the “Bug?”

Apple Promises Fix for Location-Gathering ‘Bug’ on iPhone

Is this an indication that the rules may change?

Israels’ National Labour Court severely restricts monitoring of employee email accounts

April 27, 2011 by Dissent

In a 91-page opinion the National Labour Court recently laid down a clear set of rules regarding an employer’s right to monitor its employees’ email messages and other employee uses of workplace IT systems.(1) The rules impose severe restrictions on employers’ rights, subsequently calling for employers to consider modification and reform of their employee privacy policies.

Read more about the decision on International Law Office.

[From the article:

An employer may monitor the traffic data and contents of professional purpose accounts only if it makes its employees aware of the email monitoring policy. However, if an employee uses the mailbox for personal email exchange, even if in violation of the corporate policy, the employer may access the personal messages in that account only subject to the employee's explicit, informative and freely given consent, and only if the contents of such personal messages are unlawful or abusive to the company. [I can't see this rule being adopted int eh US. If you see a crime you have to get permission of the criminal to collect the evidence? Bob]

Another “alternative” to printed books...

Gore, Ex-Apple Engineers Team Up to Blow Up the Book

… Developed by former Apple employees Mike Matas and Kimon Tsinteris, Push Pop Press will be a publishing platform for authors, publishers and artists to turn their books into interactive iPad or iPhone apps — no programming skills required.

The app is the richest form of storytelling,” [Really? Bob] Matas said. Push Pop Press “opens doors to telling a story with more photos, more videos and interactions.”

… Not impressed with words alone? Check out Gore’s tour of his book produced with Push Pop Press, embedded in the video below.

The former vice president approached Mathas in September 2009 to create an app version of his book Our Choice: A Plan to Solve the Climate Crisis. Gore wanted the book app to contain videos, diagrams and other forms of multimedia that would flex the iPhone’s muscle. [Fishing for another Oscar? Bob]

No comments: