Saturday, October 08, 2011

I could probably write these press releases myself. All it takes is a bit of obfuscation, double-think and chutzpah...
By Dissent, October 7, 2011
Three unencrypted computer backup tapes containing patient billing and employee payroll data have been reported missing from a Nemours facility in Wilmington, Delaware. The tapes were stored in a locked cabinet following a computer systems conversion completed in 2004. [I wonder if they had been seen since then? Bob] The tapes and locked cabinet were reported missing on September 8, 2011 and are believed to have been removed on or about August 10, 2011 during a facility remodeling project.
There is no indication that the tapes were stolen or that any of the information on them has been accessed or misused. Independent security experts retained by Nemours determined that highly specialized equipment [a tape reader Bob] and specific technical knowledge [How to push the “ON” button? Bob] would be necessary to access the information stored on these backup tapes. There are no medical records on the tapes.
“This is an isolated incident unrelated to patient care and safety,” said David J. Bailey, M.D., President and Chief Executive Officer. “The privacy of our patients, their families, and our employees and business partners is a high priority to all of us at Nemours.”
The information on the tapes dates principally between 1994 and 2004 and relates to approximately 1.6 million patients and their guarantors, vendors, and employees at Nemours facilities in Delaware, Pennsylvania, New Jersey and Florida. The missing backup tapes contained information such as name, address, date of birth, Social Security number, insurance information, medical treatment information, and direct deposit bank account information.
Nemours is notifying individuals who may have been affected and offering them one year of free credit monitoring and identity theft protection as well as call center support. Additionally, Nemours is taking immediate steps to strengthen its data security practices. These include moving towards encrypting all computer backup tapes [not actually encrypting the backups, but thinking about possibly scheduling a planning meeting to consider forming a committee to evaluate potential processes that might eventually lead to a procedure, etc. Bob] and moving non-essential computer backup tapes to a secure off-site storage facility.
Source: Nemours Press Release

Identity theft seems to be the hot new “Franchise” for criminals.
More than 100 arrested in massive NYC theft ring
… In total, 111 people were arrested and more than 85 are in custody; the others are still being sought. Five separate criminal enterprises operating out of Queens were dismantled. They were hit with hundreds of charges, said Queens District Attorney Richard Brown, calling it the largest fraud case he'd ever seen in his two decades in office.
… The enterprise had been operating since at least 2010 and included at least one bank and restaurants, mostly in Queens. Authorities say the graft operated like this:
At least three bank workers, retail employees and restaurant workers would steal credit card numbers in a process known as skimming, in which workers take information from when a card is swiped for payment and illegally sell the credit card numbers. Different members of the criminal enterprise would steal card information online.
The numbers were then given to teams of manufacturers, who would forge Visas, MasterCards, Discover and American Express cards.
… The plastic would be given to teams of criminal "shoppers" for spending sprees at higher-end stores including Apple, Bloomingdale's and Macy's. The groups would then resell the merchandise oversees to locations in China, Europe and the Middle East.
All told, more than $13 million was spent on iPads, iPhones, computers, watches and fancy handbags from Gucci and Louis Vuitton, authorities said.

Each new technology ignores the lessons learned by earlier technologies...
October 07, 2011
Wired Reports Keylogger Computer Virus Has Infected U.S. Drone Fleet
Danger Room: "A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones. The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system."
[From the article:
We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”
… The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech.
… But despite their widespread use, the drone systems are known to have security flaws. Many Reapers and Predators don’t encrypt the video they transmit to American troops on the ground. In the summer of 2009, U.S. forces discovered “days and days and hours and hours” of the drone footage on the laptops of Iraqi insurgents . A $26 piece of software allowed the militants to capture the video.

The first job for any bureaucracy is to survive and grow. Solving problems is contrary to this goal.
White House Issues ‘WikiLeaks’ Order to Secure Classified Data
… The so-called “WikiLeaks Order” (.pdf) was issued by President Obama on Friday and largely focuses on establishing committees, offices and task forces to work on implementing a balance between the needs of federal agencies to access classified data and the necessity of securing that data against improper usage and leaks.

It looks like the next Privacy Foundation seminar will address how lawyers calculate/estimate/guess Damages following a Privacy Breach. Articles like this one lead me to ask my lawyer friends if there is a polite way to initiate a lawsuit – i.e. one that suggests a settlement is possible without the need to mount a “full court press” defense? What are the signals?
Citigroup Sued by Cardholders Over May Security Breach
October 7, 2011 by admin
Patricia Hurtado reports:
Citigroup Inc. (C), the third-largest U.S. bank, was sued by cardholders over a May computer security breach that affected more than 360,000 accounts.
Kristina and Steven Orman of Northport, New York, sued Citigroup in federal court in Manhattan today, seeking to represent victims of the hacking in a class-action, or group, lawsuit. Money was stolen from their bank account and their credit cards were illegally used by third parties following the breach, they said.
Read more on Bloomberg.
[From the article:
“Defendants have taken no steps that adequately or effectively protect cardholders against illegal use of the cardholders’ sensitive and extensive financial records since the breach,” the Ormans alleged in the complaint. They seek unspecified damages.
Citigroup said in June that the breach, affecting 1.5 percent of its card customers in North America, was discovered at Citi Account Online during routine monitoring.
… Citigroup also failed to disclose how it concluded that “more sensitive information like social security numbers, birth dates, card expiry dates and CVV card security codes were not compromised,” according to the complaint.

Ameritrade lawsuit settlement approved
October 7, 2011 by admin
In one of the longer-running databreach lawsuits, a court has now approved the settlement in the Ameritrade case. Associated Press reports that the deal will cost Ameritrade between $2.5 million and $6.5 million. Settlement details are available online at

Obvious in retrospect.
Google Adds More Security to Google+ [News]
… Previously, Plus users could only make content private after it was made public to one or more of their Plus Circles. But now you can select privacy controls before content is posted.

...and let's not forget, maybe they're better than everyone else?
Google and the antitrust inquiry: Fighting shadows
As Google’s federal antitrust case winds its way through the halls of justice in Washington, investigators for the Federal Trade Commission and the Justice Department will have to consider some fundamental questions about how to apply antitrust law to a company whose primary products are free — and whose monopoly was arguably gained not through coercive relationships but through the power of an algorithm. In other words, what does the word “monopoly” even mean when applied to a web-based entity like Google? Are network effects a barrier to entry, as some have argued, or are online monopolies inherently more fragile than their real-world cousins?

At least I can use Google to find a book I might want to read, then actually purchase it or have my library run it down.
October 07, 2011
The Song of the Sirens: Google Book's Project and Copyright in a Digital Age
The Song of the Sirens: Google Book's Project and Copyright in a Digital Age, Clarice Castro and Ruy De Queiroz, September 1, 2011
  • "Numerous scholars have highlighted the extraordinary book-scanning project created by Google in 2004. The project aims to create a digital full text search index which would provide people with online access to books and assist research. A few months after the original idea started being implemented, the Authors Guild and the Association of American Publishers-AAP filed a class-action lawsuit, claiming that Google Book’s Project violated copyright law in the United States. The main contention was that the books which were not under public domain could not have been scanned without permission and compensation for authors and publishers. Google’s Book Project radically changed its character from the time of its birth until the negotiation of an Amended Settlement Agreement - ASA with the plaintiffs. It has raised serious controversies not only regarding different aspects of the future of the Internet but also over the issue of privatization of knowledge. Those in favour of the initiative highlight the astonishing accomplishment of Google, allowing us to access books more easily than ever before in human history. However, their claim is as dangerous as the song of the sirens. While at first sight Google tells a tale of extraordinary inclusion, it excludes those who cannot pay to access snippets or limited view of around 80% of the books available. We will also discuss the Amended Settlement Agreement of Google with the Author’s Guild and its failure on March, 2011. Finally, we will explore the concept of “fair use,” or “exceptions and limitation on copyright,” which provides for full access to books to any individual, library or archive as long as they are used for educational or scientific purposes."

For my CJ students... Isn't his something Facebook already does for free?
"The FBI by mid-January will activate a nationwide facial recognition service in select states that will allow local police to identify unknown subjects in photos, bureau officials told Nextgov. The federal government is embarking on a multiyear, $1 billion dollar overhaul of the FBI's existing fingerprint database to more quickly and accurately identify suspects, partly through applying other biometric markers, such as iris scans and voice recordings."

(Related) Not sure I agree, but this might be interesting to kick around...
Forensic DNA Could Make Criminal Justice Less Fair

For my Data Mining and Data Analytic students
October 07, 2011
Six Provocations for Big Data
Six Provocations for Big Data, Danah Boyd and Kate Crawford
  • "The era of Big Data has begun. Computer scientists, physicists, economists, mathematicians, political scientists, bio-informaticists, sociologists, and many others are clamoring for access to the massive quantities of information produced by and about people, things, and their interactions. Diverse groups argue about the potential benefits and costs of analyzing information from Twitter, Google, Verizon, 23andMe, Facebook, Wikipedia, and every space where large groups of people leave digital traces and deposit data. Significant questions emerge. Will large-scale analysis of DNA help cure diseases? Or will it usher in a new wave of medical inequality? Will data analytics help make people’s access to information more efficient and effective? Or will it be used to track protesters in the streets of major cities? Will it transform how we study human communication and culture, or narrow the palette of research options and alter what ‘research’ means? Some or all of the above? This essay offers six provocations that we hope can spark conversations about the issues of Big Data. Given the rise of Big Data as both a phenomenon and a methodological persuasion, we believe that it is time to start critically interrogating this phenomenon, its assumptions, and its biases.
(This paper was presented at Oxford Internet Institute’s A Decade in Internet Time: Symposium on the Dynamics of the Internet and Society on September 21, 2011.)"

Data Mining: DHS Needs to Improve Executive Oversight of Systems Supporting Counterterrorism, GAO-11-742, Sep 7, 2011

"ISPs are wildly exaggerating the cost of increased internet traffic, according to a new report. Fixed and mobile broadband providers have claimed their costs are 'ballooning' because of the expense of delivering high-bandwidth services such as video-on-demand. However, a new report from Plum Consulting claims the cost per additional gigabyte of data for fixed-line ISPs is between €0.01-0.03 per GB. The report labels claims of ballooning costs a 'myth.'"

Also shocking: How dare anyone suggest that politicians “get it!”
"Apparently there are some politicians who 'get it.' At least it seems that way after reading an entry on the blog of Rick Falkvinge (founder of the Swedish Pirate Party). He says the Green party group, fifth largest in the European Parliament, has officially adopted several of the Pirate Party's stances in a new position paper (PDF). The Greens say, 'the copyright monopoly does not extend to what an ordinary person can do with ordinary equipment in their home and spare time,' adding that a 20-year protection term is more reasonable than 70 years. They go on to say, 'Net Neutrality must be guaranteed,' and also mention DRM: 'It must always be legal to circumvent DRM restrictions, and we should consider introducing a ban in the consumer rights legislation on DRM technologies that restrict legal uses of a work.'"

No comments: