Friday, April 22, 2011

This should be interesting... One of the Baker Street irregulars (my Intro to Computer Security students) picked this one up for me.

Epsilon pledges to build 'Fort Knox' around breached system

E-mail marketing giant Epsilon will build an industry-leading security system in response to a March 30 breach in which thieves gained access to the e-mail addresses and names of partner's customers, the CEO of Epsilon's parent company said Thursday.

… "Bottom line, we will emerge not just with strong security protocols, but industry-leading," he said. "We're essentially going to build Fort Knox around this thing. We've taken the position now that it's not good enough to be at or above the industry [standard], we need to be the absolute leader in the industry because we are the largest player." [I wish them well. Seriously! Bob]

Epsilon's e-mail marketing technologies will sacrifice some flexibility and user-friendliness for security, Heffernan said during a conference call about his company's quarterly profits. Heffernan didn't disclose what new security measures the company planned to take.

… "While knowing we are the victim of this crime, we will not be playing that card," he said. "Rather, we view our role as standing up and taking the hit for what these cyber-crooks did. We will learn from the experience and come out stronger than ever."

Still, Alliance Data Systems projected no "meaningful" costs or liability related to the incident, Heffernan said. E-mail volumes have remained at the expected levels, and the company expects no changes in Epsilon's financial results going forward.

The company expects the "vast, vast majority, if not all," of Epsilon's clients to remain with the company, he said.

Interesting as this is the second (Amazon) Cloud service to fail this week. I wonder if it is another example of Sony cutting corners?

A Disaster In The Making? Sony’s PlayStation Network Suffers Prolonged Global Outage

Sony’s PlayStation Network, its online service for PlayStation 3 and PlayStation Portable consoles, suffered from a major outage today, which remains ongoing. According to Sony’s blog, the interruption in service may last into the long weekend — for at least another “full day or two”. The Sony Network currently has more than 70 million registered users, many of whom have taken to Twitter and other social networks to express their frustration over the prolonged downtime. Millions of unhappy gamers (and Netflix customers) a PlayStation outage makes.

(Related) Speaking of Amazon... Are their “Zones” based on legal jurisdictions or the availability of cheap power?

Amazon Outage Shows Limits of Failover 'Zones'

"For cloud customers willing to pony up a little extra cash, Amazon has an enticing proposition: Spread your application across multiple availability zones for a near-guarantee that it won't suffer from downtime. ' By launching instances in separate Availability Zones, you can protect your applications from failure of a single location,' Amazon says in pitching its Elastic Compute Cloud service. But the availability zones are close together and can fail at the same time, as we saw today. The outage and ongoing attempts to restore service call into question the effectiveness of the availability zones, and put a spotlight on Amazon's failure to provide load balancing between the east and west coasts."

How much information does a government need to know to grant you a passport?

State Dept. proposes “Biographical Questionnaire” for passport applicants

April 22, 2011 by Dissent

Papers, Please! calls our attention to this stunning over-reach of surveillance:

The U.S. Department of State is proposing a new Biographical Questionnaire for passport applicants. The proposed new Form DS-5513 asks for all addresses since birth; lifetime employment history including employers’ and supervisors names, addresses, and telephone numbers; personal details of all siblings; mother’s address one year prior to your birth; any “religious ceremony” around the time of birth; and a variety of other information. According to the proposed form, “failure to provide the information requested may result in … the denial of your U.S. passport application.”

Read more on Papers, Please!

If you want to submit comments during the period for public comments, you’ll have to do so quickly as April 25 appears to be the last day for comments. The blog has information on how you can submit your comments.

The government seems to have given up any pretense at respecting privacy and the Constitution.

What right to they have to demand information on a citizen’s religion via a backdoor question about religious ceremonies? Are they arguing that the First Amendment protects our freedom of religion but not the right to keep our religious associations to ourselves?

And now we need to sell out our siblings’ personal details and privacy to get a passport?

And remind me: this would be the same State Department that has had a dozen employees prosecuted for snooping in people’s files? And the same one that had all of their cables spread all over the world?

Bad idea, State Department. Really, really bad. This is a total surveillance state move and must be resisted strongly.

Spread the word, folks.

(Related) Don't bother to tell your customers, but be sure to market forensic tool to law enforcement.. Much more in the article, including where to get training...

How police have obtained iPhone, iPad tracking logs

Law enforcement agencies have known since at least last year that an iPhone or iPad surreptitiously records its owner's approximate location, and have used that geolocation data to aid criminal investigations.

Apple has never publicized the undocumented feature buried deep within the software that operates iPhones and iPads, which became the topic of criticism this week after a researcher at a conference in Santa Clara, Calif., described in detail how it works. Apple had acknowledged to Congress last year only that "cell tower and Wi-Fi access point information" is "intermittently" collected and "transmitted to Apple" every 12 hours.

At least some phones running Google's Android OS also store location information, Swedish programer Magnus Eriksson told CNET today. And research by another security analyst suggests that "virtually all Android devices" send some of those coordinates back to Google.

… They've become a valuable sales pitch when targeting customers in police, military, and intelligence agencies.

The U.K-based company Forensic Telecommunications Services advertises its iXAM product as able to "extract GPS location fixes" from an iPhone 3GS including "latitude, longitude, altitude and time." Its literature boasts: "These are confirmed fixes--they prove that the device was definitely in that location at that time." Another mobile forensics company, Cellebrite, brags that its products can pluck out geographical locations derived from both "Wi-Fi and cell tower" signals, and a third lists Android devices as able to yield "historical location data" too.

Alex Levinson is the technical lead for a competing company called Katana Forensics, which sells Lantern 2 software that extracts location information from iOS devices.

… Research by security analyst Samy Kamkar, a onetime hacker with a colorful past, indicates an HTC Android phone determined its location every few seconds and transmitted the data to Google at least a few times an hour, according to a report in The Wall Street Journal. It said that the Android phone also transmitted the name, location and signal strength of nearby Wi-Fi networks, as well as a unique identifier for the phone.

… Courts have been split on whether warrants are required to peruse files on gadgets after an arrest, with police typically arguing that the Fourth Amendment's prohibition on unusual searches doesn't apply.

… In addition, the U.S. Department of Homeland Security has publicly asserted the right to copy all data from anyone's electronic devices at the border--even if there's no suspicion of or evidence for illegal activity. The U.S. Ninth Circuit Court of Appeals has blessed the practice.

I like them! Will impact US companies who OutSource to India...

India Issues Draft Privacy Rules

April 22, 2011 by Dissent

The Government of India’s Ministry of Communications & Information Technology has published three draft rules that would implement the Information Technology Act, 2000. These include: Reasonable Security Practices and Procedures and Sensitive Personal Information; Due Diligence Observed by Intermediaries Guidelines and Guidelines for Cyber Cafe. The first two of these rules could affect international companies that provide digital services or process data in India. The comment period on the rules ends February 28, 2011.

Read more on Hunton & Williams Privacy and Information Security Law Blog.

Free is good!

April 21, 2011

Justia's new free service provides Daily & Weekly Opinion Summaries for all Federal Courts

Another invaluable service for researchers that facilitates free access to court opinions - from the innovative experts at Justia - who are now "providing FREE Daily & Weekly Opinion Summaries for all Federal Courts, and selected State Supreme Courts. See an example daily email for the U.S. 9th Circuit Court of Appeals or a weekly practice area email for Environmental Law."

  • "To sign up for the Case Summary Newsletters you first need to login to or create a Justia Account. Then you will be able to select the free newsletters you wish to subscribe to."

This “Clarification” is confusing...

Pointer: Recent cases, from the Harvard Law Review

April 22, 2011 by Dissent

In Harvard Law Review (Volume 124 · April 2011 · Number 6):

Third Circuit Allows Government to Acquire Cell Phone Data Without Probable Cause. — In re The Application of the United States for an Order Directing a Provider of Electronic Communication Service to Disclose Records to the Government, 620 F.3d 304 (3d Cir. 2010).

Lawyers dueling Lawyers. Perhaps we could provide the swords?

IMSLP Taken Down By UK Publishers Group

"According to a post at the IMSLP Journal, the IMSLP, the largest site on the 'net providing public domain sheet music, has been taken down yet again. The UK-based Music Publisher's Association has sent GoDaddy, the IMSLP's domain registrar, a DMCA takedown notice. The IMSLP argues that the notice is bogus. More detailed discussions on the matter can be found at the IMSLP Forums."

[Finally, an aggressive response!

What is the MPA complaining about? Rachmaninoff's Bells, which is public domain both in Canada and the USA: ... _Sergei%29 MPA's claim is entirely bogus.

Anyone who is interested in suing or helping to sue the MPA under DMCA section 512(f) (misrepresentations) please contact me at imslproject

I'm always looking for practical examples for my Math students. Odd that the defense relies on TWO pictures taken by these cameras. No doubt the company will stop taking that second picture... Perhaps Courts should insist that all “automated ticketing systems” take two pictures? (Perhaps this suggests a Business Opportunity as well? )

Business owner casts reasonable doubt on accuracy of speed cameras

Will Foreman has beaten the speed cameras.

Five times and counting before three different judges, the Prince George’s County business owner has used a computer and a calculation to cast reasonable doubt on the reliability of the soulless traffic enforcers.

… “You’ve produced an elegant defense and I’m sufficiently doubtful,” Judge Mark T. O’Brien said to William Adams, after hearing evidence that his Subaru was traveling below the 35-mph limit - and not 50 mph as the ticket indicated.

The method?

Mr. Foreman, the owner of Eastover Auto Supply in Oxon Hill, examined dozens of citation photos of his company’s trucks that were issued along a camera-monitored stretch of Indian Head Highway his employees frequently travel.

The camera company, Optotraffic, uses a sensor that detects any vehicle exceeding the speed limit by 12 or more mph, then takes two photos of it for identification purposes. The photos are mailed to violators, along with a $40 ticket.

For each ticket, Mr. Foreman digitally superimposed the two photos - taken 0.363 seconds apart from a stationary point, according to an Optotraffic time stamp - creating a single photo with two images of the vehicle.

Using the vehicle’s length as a frame of reference, Mr. Foreman then measured its distance traveled in the elapsed time, allowing him to calculate the vehicle’s speed. In every case, he said, the vehicle was not traveling fast enough to get a ticket.

So far the judges have agreed.

.. Mr. Foreman’s tickets were all issued in Forest Heights, a town of about 2,600 where officials expected $2.9 million in ticket revenue this fiscal year, about half the town’s $5.8 million budget.

… Optotraffic representatives said the photos are not intended to capture the actual act of speeding, [But, wouldn't the photos show skid marks as drivers slammed on the brakes to slow from 50 to “less than 35” in a mere 50 feet? Bob] and are taken nearly 50 feet down the road from sensors as a way to prove the vehicle was on the road.

“No one has come to us with a proven error,” company spokesman Mickey Shepherd said Tuesday. “Their speed is not measured by the photos. The speed is measured before the photos are taken.”

No comments: