Friday, May 13, 2011

This did not result in Centennial-Man being deleted, but at 7:45AM I can't update the Blog. Can I sue them anyway?

Blogger goes down, taking 30 hours of posts with it

Google's Blogger service has been offline or unreliable for much of the day, with Blogger-hosted blogs changed to read-only mode, and posts and comments made after 7:37 a.m. PDT on May 11, 2011, removed.

In a post on the Blogger help forum, the product team said that it had rolled back a scheduled maintenance release from last night and that its "engineers are working hard to return Blogger to normal and restore your posts and comments."

Either Marketing trumps Security or Consumers are ignorant or both?

PS3 Sales Up Despite the PSN Outage

The PlayStation Network has been offline for more than three weeks, but despite the outage, April saw an increase in PlayStation 3 sales. According to a Sony statement from Patrick Seybold, senior director of corporate communications at SCEA, NPD reported a 13 percent April increase for hardware sales and 40 percent year-over-year increase in software sales.

… Of course, April had 20 days to sell PS3s before the outage occurred, so the real test of consumer loyalty and the impact of this outage will come next month when May's sales are revealed.


Sony notifications to New Hampshire Attorney General’s Office

May 12, 2011 by admin

Although there doesn’t seem to be anything new in them, if you’re curious, you can see Sony’s breach notifications to New Hampshire of April 26 and May 2.

An Auditor? I'm professionally appalled... And there is no indication that this data was encrypted!

OH: Laptop with financial information stolen from the home of state Auditor’s Office employee

May 12, 2011 by admin

Reginald Fields reports:

A state-owned laptop containing some financial audits of public offices in northwest Ohio was stolen this week during a burglary at a house in Findlay.

It was the home of a regional auditor for the state Auditor’s Office.

The employee, whose identity has not been released, was suspended for 15 days [Insufficient. Fire him! Bob] because a password that opens access to the financial records was attached to the computer, [A sticky note? Unbelievable. Bob] a violation of the office policy.

The Auditor’s Office said the public offices whose information was contained on the computer are being notified, according to a news release from Auditor Dave Yost’s office.

The release said there was very little personal information included in the files on the laptop.


I wonder what they consider “very little personal information.”

[From the article:

In 2007, a data backup cartridge that contained sensitive information, including some Social Security numbers, for 1.3 million individuals, business and other entities was stolen from a car owned by a state intern.

After that incident, Ohio spent about $1.8 million for new software to better encrypt information on state computers and other electronic devices and add tracking devices to state computers so information could be deleted remotely.

For my Ethical Hackers: How would you detect these emails?

How bin Laden emailed without being detected by US

… Bin Laden's system was built on discipline and trust. But it also left behind an extensive archive of email exchanges for the U.S. to scour. [Because he rarely deleted the emails? Bob]

… Holed up in his walled compound in northeast Pakistan with no phone or Internet capabilities, bin Laden would type a message on his computer without an Internet connection, then save it using a thumb-sized flash drive. He then passed the flash drive to a trusted courier, who would head for a distant Internet cafe.

At that location, the courier would plug the memory drive into a computer, copy bin Laden's message into an email and send it. Reversing the process, the courier would copy any incoming email to the flash drive and return to the compound, where bin Laden would read his messages offline.

… Navy SEALs hauled away roughly 100 flash memory drives after they killed bin Laden, and officials said they appear to archive the back-and-forth communication between bin Laden and his associates around the world.

Al-Qaida operatives are known to change email addresses, so it's unclear how many are still active since bin Laden's death. But the long list of electronic addresses and phone numbers in the emails is expected to touch off a flurry of national security letters and subpoenas to Internet service providers.

Interesting stuff.

UK: Police buy software to map suspects’ digital movements

May 13, 2011 by Dissent

Ryan Gallagher and Rajeev Syal report:

Britain’s largest police force is using software that can map nearly every move suspects and their associates make in the digital world, prompting an outcry from civil liberties groups.

The Metropolitan police has bought Geotime, a security programme used by the US military, which shows an individual’s movements and communications with other people on a three-dimensional graphic. It can be used to collate information gathered from social networking sites, satellite navigation equipment, mobile phones, financial transactions and IP network logs.

Read more in The Guardian.

President’s cybersecurity agenda includes proposed federal data breach notification law

May 12, 2011 by admin

To cut to the chase: you can read the language of the proposed data breach notification law here.

Sadly, the proposed language allows entities NOT to notify affected individuals if they conduct a risk assessment and determine that there is no risk to those whose data were breached.

Other problems I see on a first reading are:

1. The law would only apply to entities dealing with 10,000 or more individuals in a 12-month period. That would still leave us without a national data breach law for smaller entities. Don’t their breaches put us at risk?

2. There does not seem to be a provision that would permit the FTC to reject an entity’s risk assessment exemption and to tell them that no, they must notify individuals.

3. The proposal does not require the entity to provide important details about the breach to affected individuals such as when the breach occurred and when it was first detected, or even how the breach occurred – was it a hack, or web exposure, or…?

4. The proposal would supersede much stronger state breach notification laws.

5. The proposal does not establish or recognize a private cause of action.

6. The proposal would still leave us without any national data breach notification law that would apply to paper records outside of HIPAA-covered entities.

7. The proposal does not require the breached entity to post a prominent notice linked from the home page of any web site they maintain.

I’m sure I’ll have other concerns when I read this again tomorrow, but right now, there’s just so much wrong with this weak bill that I wish someone would just go smack the WH on its head and tell them to read this blog or other privacy advocacy sites that have been pointing out certain problems and needs forever.

Update: The government has posted a section-by-section analysis of the data breach notification provisions.

Logic be damned! “On occasion, someone takes your pictures without compensation. From now on, we will take your pictures and receive compensation. Isn't that better?”

TwitPic Will Sell Your Photos, But No Cash For You

"Twitter picture-posting service TwitPic has defended its plans to sell users' photos, but still won't cut users in on the deal. TwitPic founder Noah Everett claims that the move has been made to 'protect' users of the service."

[From the Meejahor Blog:

As we’ve grown, Twitpic has been a tool for the spread of breaking news and events. Since then we’ve seen this content being taken without permission and misused. We’ve partnered with organizations to help us combat this and to distribute newsworthy content in the appropriate manner. This has been done to protect your content from organizations who have in the past taken content without permission. As recently as last month, a Twitpic user uploaded newsworthy images of an incident on a plane, and many commercial entities took the image from Twitpic and used it without the user’s permission.

...if you have a smartphone.

Facebook Adds Two-Factor Authentication

"To help its hundreds of millions of users prevent unauthorized access to their accounts, Facebook has added an optional verification step to its log-in process. The new security feature, called Login Approvals, is a form of two-factor authentication."

(Related) On the other hand...

Facebook, You’re Going To Need A Better Answer For Your Slimeball Stunt

At this point, I think it’s pretty clear what Facebook’s strategy for this whole Burson-Marsteller caught-with-their-pants-down situation is going to be: say as little as possible and move on. And it will work.

Like it or not, Facebook is too integrated into the fabric of the web now for everyone to just walk away. As has been proven time and time again, people will get really angry with them for some misstep, and then totally forget about it a week later. So this is the smart play by Facebook.

Future watch: Perhaps we can look forward to e-Walmart? Or you might order stuff online and pick it up at Walmart (free shipping)

Walmart Invests In Yihaodian, A Massive Chinese E-Commerce Company

No comments: