Saturday, July 02, 2011

Isn't keeping quiet about the breach offset by all the reporting on the lawsuit?

Cancer Center Blamed for Stolen Laptop; Delayed Notice Blamed for ID Theft

By Dissent, July 1, 2011

Okay, here’s a breach I never saw reported anywhere in my usual sources, until I read about it in a lawsuit. Via Courthouse News’ Joe Harris:

A hospital and cancer center allowed a laptop computer stuffed with unencrypted, confidential information on its patients to be stolen, and did not notify patients of the data theft for 8 weeks, patients say in a class action.

Named plaintiff Rita Barricks claims the laptop was stolen during the weekend of Dec. 4, 2010 from Barnes-Jewish Hospital dba The Siteman Cancer Center, a joint venture between Washington University and Barnes-Jewish Hospital.

Barricks says the computer contained patients’ names, addresses, phone numbers, birth dates, Social Security numbers, medical records, diagnoses, lab results, email addresses, insurance information and employment information.

WashU and BJC have a policy of encrypting the sensitive information of plaintiffs,” according to the complaint City Court. “However, the stolen laptop was unencrypted and contained unencrypted sensitive information.”

Barricks claims the defendants immediately knew about the theft, but waited 8 weeks – until Jan. 28 – to inform patients.

During that time, Barricks says, her identity was stolen.

Read more on Courthouse News.

Interesting legal approach as she reportedly experienced harm because the defendants not only did not encrypt sensitive data but seemingly did not take timely steps to mitigate the risk of harm to her by notifying her promptly. Will HITECH giving entities up to 60 days to report a breach be used to defend the hospital’s delay in notifying patients?

The complaint makes for interesting reading and I wonder what will the court do with this one.

Stay tuned….

When I see the words “potential breach” in a press release I have to wonder if that means the organization is “unable to determine what happened.” In this case, we also have an outsider telling them they had been compromised and “no evidence” (translation: no clue) what data was stolen, and you have to ask, “Do they have ANY security?”

JetBlue informed of malware on their system; Crewmembers notified months later?

July 1, 2011 by admin

A correspondent indicates that JetBlue has reportedly notified employees of a “potential” breach of their confidential information. In a written notification sent via mail, dated June 24, 2011, JetBlue states:

“A federal law enforcement agency recently informed JetBlue that malicious software may have been installed on our computer systems. Upon notification, we immediately launched an investigation and, upon finding the malicious software, removed it.”

“Our investigation has revealed that the malicious software was designed to allow an attacker to remotely search and collect information stored on our computer systems. On April 1, 2011, we learned that the affected systems included computer files containing confidential business information as well as personal information including the names, social security numbers and retirement fund account balances of Crewmembers employed by JetBlue since 2005.

“We would like to emphasize that, to date, we have no evidence that your personal information was actually obtained or has been misused.”

JetBlue is reportedly offering affected employees 12 months of services through Debix.

If anyone has a copy of the notification that they can scan in and email to me at admin[at], that would be great.

As more devices become “Smart” we have more tools for surveilling/incriminating ourselves.

StolenCameraFinder: Get Help In Finding Your Lost & Stolen Digital Cameras

Modern digital cameras store their serial number in the metadata of pictures they take. If somebody who has stolen your digital camera shoots photos with it and uploads them to the web, you can use the serial number to track down the camera. An easy way you can do this is through is Stolen Camera Finder.

Stolen Camera Finder is a free web service that searches for photos that have your stolen digital camera’s serial number stored in their metadata. If you know the camera’s serial number you can manually enter it into the site; otherwise you can drag a photo shot from the camera earlier into the site’s interface – the site then reads the serial number from the picture’s metadata. With the serial number obtained, the site crawls the web to look for any photos with your camera’s serial number in its metadata and then displays the links to you.

  • Also read related articles:

(Related) In case you prefer to be the spyer rather than the spyee. For the Home Network...

Employee Monitor – Spyware Software You Can Actually Make Use Of [Windows]

… For your home network, you many only want to “spy” on a few computers to make sure that your kids aren’t getting themselves into trouble. One of the few, full-featured, free applications available that can do this is called ExtraSpy Employee Monitor.

Perhaps Cloud computing (at least the file storage part) is more valuable than I thought!

Dropbox TOS Includes Broad Copyright License

"Dropbox recently updated their TOS, Privacy Policy, and Security Overview. Included in the TOS is the following statement: 'By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service.' I think Dropbox is a great service, but what is the significance of granting them such broad usage rights?"

Elsewhere in the same Terms of Service, which are a few notches above the norm in both brevity and readability, Dropbox says both "Dropbox respects others’ intellectual property and asks that you do too," and "You retain ownership to your stuff."

...and how do you know the filter is for “Child Porn” and not to block “We don't like the government?”

Telstra Starts Implementing Australian Censorship Scheme

"After four long years of debate about whether Australia will receive a mandatory Internet filter, finally some action has been taken. Yesterday the country's largest ISP, Telstra, started filtering all customers' connections for child pornography. The filter is DNS-based, meaning it's easy to circumvent, but you can't opt out of it — if you sign up to a plan with Telstra, your connection will be filtered for certain web addresses whether you like it or not. "

A cautionary tale for my Lawyer friends... And this was to determine if the lawyer should be sanctioned!

RightHaven Lawyer Says Browser Ate His Homework

"Wired Magazine reports that Righthaven attorney Shawn Mangano's excuse for being a day late with his explanation as to why the litigation factory made 'dishonest statements to the court' was that his web browser upgraded and he could no longer attach PDF files to his submissions. Yeah, right ..."

For my Risk Management students

July 01, 2011

BIS - Operational Risk - Supervisory Guidelines for the Advanced Measurement Approaches - final document

"The Basel Committee on Banking Supervision issued two papers on operational risk: Principles for the Sound Management of Operational Risk and Operational Risk - Supervisory Guidelines for the Advanced Measurement Approaches. The regulatory capital adequacy framework envisages that, over time, the operational risk discipline will continue to mature and converge towards a narrower band of effective risk management and measurement practices. The guidance on advanced measurement approaches promotes improvement in this area by setting out supervisory guidelines relating to governance, data and modelling. A consultative version of this report was issued for public consultation in December 2010.

For my Statistics students

July 01, 2011

Census Bureau Releases Data on Alaska, Colorado, Connecticut, Nebraska and North Carolina

News release: "The U.S. Census Bureau today released new, detailed demographic information from the 2010 Census for Alaska, Colorado, Connecticut, Nebraska and North Carolina. These Summary File 1 tables provide the most detailed counts available so far from the 2010 Census, including cross-tabulations of age, sex, households, families, relationship to householder, housing units, detailed race and Hispanic or Latino origin groups, and group quarters. The statistics are available for a variety of geographic areas, with most tables available down to the block or census tract level."

Simple forensics...

Researchers Track Cell Phones Indoors By Listening In

"Researchers at Northwestern University and the University of Michigan have developed a technique which aims to extend the reach of mobile phone location tracking. Their free iPhone app, Batphone, extracts a location 'fingerprint' from a short recording of ambient sound. This software-only approach allows the device to determine its location with high accuracy using its built-in microphone. Unlike prior indoor tracking techniques, Batphone does not rely on the presence of Wi-Fi access points to serve as landmarks, although these can be used to assist the system when available. They also posted a web game which allows you to test your own ability to recognize rooms by listening. Technical details are in a paper which was presented at the MobiSys conference on Thursday. This is from the same people who brought you laptop sonar."

Because you can never have enough free stuff. - Free Software Downloads is nothing but an enormous guide of the best freeware that you are liable to find on the Internet. And everything is obviously arranged by category

Friday, July 01, 2011

Local breach. “We don't need no stinking encryption!”

Lost in transit: Colorado Department of Health Care Policy and Financing notifies over 3,500 of missing disk

By Dissent, July 1, 2011

Michael Booth reports:

The state Department of Health Care Policy and Financing has lost thousands of applicant names on a computer disk for the second time in a year, triggering a public notice under federal privacy rules.

HCPF officials said the names of 3,590 medical-aid applicants were on the lost disk, though the data did not include dates of birth, Social Security numbers or other personal information that could lead to identity-theft cases. Some of the lost information includes health data protected under the privacy rules of the Health Insurance Portability and Accountability Act.

The data did include the addresses and the state identification numbers for the applicants. The disk was lost on its way between two state agencies, the HCPF notice said, and was discovered May 6.

Read more on Denver Post.

A notice dated June 30 on the agency’s web site says:

The Department of Health Care Policy and Financing announced today that a computer disk containing applicant name, state identification number, and address has been lost in transit between two state agencies. The computer disk did not contain dates of birth, social security numbers, or other financial information that could be used for identity theft or fraud.

State officials discovered the loss on May 6, 2011.

The department has determined that some of the information on the computer disk is considered Protected Health Information and is protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Approximately 3,590 applicants’ information was lost and applicants will receive notification by mail as required by HIPAA.

[From the article:

Last summer, HCPF sent apology letters to 100,000 residents after a computer hard disk was discovered missing from equipment returned as surplus.

Perhaps perceptions are changing – or maybe they just do things differently in Canada?

Canadian data breach causes Durham residents to ‘not be another victim’

By Dissent, June 30, 2011

A follow-up to a breach first reported in December 2009.

Dan Raywood writes:

With every data breach there is a victim.

While it may often ‘just’ be a username, password or email address that is leaked, someone is bound to be affected. The announcement of a potential compromise of data could scare some more than others.

That said, some people are blase about data breaches so probably don’t really care. So in an ‘anonymous henchman’ style, does anyone really care about the victim?

Well maybe a recent class action suite could cause someone to take action. In a report I read recently, around 80,000 people are seeking $40 million in compensation for their data lost by the Canadian Durham region on an unencrypted USB flash drive.

According to, the data was personal information about people who had been vaccinated against the H1N1 flu virus. The class action suit was given the go-ahead by Justice Peter Lauwers of the Ontario Superior Court of Justice in late April, with Bowmanville resident John Sherlock Rowlands appointed as the ‘representative’ of the class.

It said that among the claims in the suit are that the region was negligent, there was a breach of a fiduciary duty, violation of privacy and breach of the Canadian Charter of Rights and Freedoms.

Read more on SC Magazine.


The USB key was lost in the parking lot of the Regional headquarters. [How would they know that? Bob]

… The court has already ordered the Region to pay almost $63,500 to the plaintiffs to handle some costs.

The lawyer retained by the Region, David Boghosian, said in an interview the "class has been certified, which we largely consented to."

… More information is available at

I'm gonna bet NO! Think of unencrypted data as sending a message on a postcard, whereas any encryption puts the data in an envelope.

Lawsuit Over Google WiFi Data Breach Will Move Ahead

July 1, 2011 by Dissent

Joe Mullin reports:

Google apologized long ago for the accidental collection of personal WiFi data by its Street View cars, but the snafu continues to produce headaches for the company. Now a San Jose federal judge has refused to throw out a class-action lawsuit against Google arguing that the data breach violated federal wiretapping laws.

This lawsuit is one of the more closely-watched ones in privacy circles, because it appears to be the first time a court has considered the issue of whether unencrypted WiFi data sent over public networks can be protected by privacy laws or not.


Related: Order in In re Google Inc. Street View Electronic Communications Litigation (NO. C 10-MD-02184 JW)

I doubt asking (even demanding) will be sufficient, so I suspect we'll see another lawsuit that I would like to see. Amazing how long these things can continue without anyone taking action.

NYC Mayor Demands $600M Refund On Software Project

"New York Mayor Michael Bloomberg is demanding that systems integrator Science Applications International Corporation reimburse more than $600 million it was paid in connection with the troubled CityTime software project, a long-running effort to overhaul the city's payroll system. 'The City relied on the integrity of SAIC as one of the nation's leading technology application companies to execute the CityTime project within a reasonable amount of time and within budget given the system's size and complexity,' Bloomberg wrote in a letter Wednesday to SAIC CEO Walter Havenstein. CityTime was launched in 2003 at a budget of $63 million, but costs swelled dramatically as the project stumbled along for nearly a decade."

[From the article:

The recent indictment of SAIC's leader project manager on the CityTime job, Gerard Denault, as well as the guilty plea to criminal charges made by SAIC systems engineer Carl Bell, who designed the software, are "extremely troubling and raise questions about SAIC's corporate responsibility and internal controls to prevent and combat fraud," he added. Denault and Bell were charged with were charged with taking kickbacks, wire fraud and money laundering.

Also recently indicted were Reddy and Padma Allen, a couple who head up New Jersey systems integrator TechnoDyne, which was SAIC's primary subcontractor on the CityTime project. Federal authorities allege that the Allens and others conducted an elaborate overbilling and kickback scheme that siphoned millions of dollars from the project.

Better. Now all we need is an MBR restore kit.

Microsoft Says Reinstall Overkill In Removing Rootkit

"Microsoft has clarified the advice it gave users whose Windows PCs are infected with a new, sophisticated rootkit dubbed Popereb that buries itself on the hard drive's boot sector, noting Wednesday that a complete OS reinstall is not necessary. 'If your system is infected with Trojan:Win32/Popureb.E, we advise fixing the MBR using the Windows Recovery Console to return the MBR to a clean state,' MMPC engineer Chun Feng wrote in an updated blog entry. Feng provided links to instructions on how to use the Recovery Console for Windows XP, Vista and Windows 7. Once the MBR has been scrubbed, users can run antivirus software to scan the PC for additional malware for removal, Feng added. Several security researchers agreed with Microsoft's revisions, but a noted botnet expert doubted that the advice guaranteed a clean PC. But an internationally-known botnet expert disagrees. Joe Stewart, director of malware research at Dell SecureWorks, said, 'Once you're infected, the best advice is to [reinstall] Windows and start over ... [MBR rootkits] download any number of other malware. How much of that are you going to catch? This puts the user in a tough position.' MBR rootkit malware is among the most advanced of all threats."

Let me draw you a picture...

How Phones Get Phished [INFOGRAPHIC]

A phishing attack — wherein a user is prompted by a seemingly legitimate page to enter certain log-in credentials such as PayPal or banking information — isn’t a sophisticated hack that programmatically sifts through your data or bricks your hardware. Rather, it relies on a certain lack of caution and naiveté on the part of users.

Wiretaps were approved 99.9% of the time, and no bad guy was smart enough to use strong encryption (or those who did were handled in other ways)

June 30, 2011

2010 Wiretap Report Shows Increase in Authorized Intercepts

"Federal and state applications for orders authorizing or approving the interception of wire, oral or electronic communications increased 34 percent in 2010, compared to the number reported in 2009. The interceptions are reported in the 2010 Wiretap Report, released today by the Administrative Office of the United States Courts (AOUSC). The current report covers intercepts concluded between January 1, 2010 and December 31, 2010. A total of 3,194 intercept applications by federal and state courts were authorized in 2010, with 1,207 applications by federal authorities authorized and 1,987 applications by 25 states authorized. One application was denied. Installed intercepts totaled 2,311."

[From the report:

Public Law 106-197 amended 18 U.S.C. § 2519(2)(b) in 2001 to require that reporting should reflect the number of wiretap applications granted in which encryption was encountered and whether such encryption prevented law enforcement officials from obtaining the plain text of the communications intercepted pursuant to the court orders. In 2010, encryption was reported during six state wiretaps, but did not prevent officials from obtaining the plain text of the communications.

Just because this is so obvious even a caveman can understand it does not mean anyone in Congress will. (Unless it comes wrapped in campaign contributions)

June 30, 2011

FTC: Consumer Confidence in Internet Marketplace Depends on Privacy Protections

News release: "The Federal Trade Commission told Congress that consumers must be confident that their privacy will be protected if they are to be willing to take advantage of all the benefits offered by the Internet marketplace. Commission testimony to the Senate Committee on Commerce, Science and Transportation, delivered by Commissioner Julie Brill, states that, “Privacy has been an important component of the Commission’s consumer protection mission for 40 years. During this time, the Commission’s goal in the privacy arena has remained constant: to protect consumers’ personal information and ensure that they have the confidence to take advantage of the many benefits offered by the dynamic and ever-changing marketplace.”

  • "Ioana Rusu, regulatory counsel for Consumers Union, the nonprofit publisher of Consumer Reports, shared new poll results when she testified at a Senate committee hearing on online privacy and data security tomorrow. A May poll conducted by Consumer Reports shows that two-thirds of consumers feel that the government should be involved with safeguarding their online privacy, while 81 percent of respondents agreed that they should be able to permanently opt out of Internet tracking from a single location."

Free is good!

Thursday, June 30, 2011

Many Books - 29,000 Free eBooks

Many Books is a service that has indexed more than 29,000 free ebooks that are available in a variety of formats for a variety of devices. The books that you will find through Many Books are works that are either in the public domain or have been licensed for free distribution. You can search Many Books by title, author, genre, or language.

Thursday, June 30, 2011

Since rootkits like this one are so difficult to remove, think of their value as a Cyber-weapons. A more subtle infection could go unnoticed until “e-Day.”

Massive Botnet "Indestructible," Say Researchers

"A new and improved botnet that has infected more than four million PCs is 'practically indestructible,' security researchers say. TDL-4, the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is 'the most sophisticated threat today,' said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis on Monday. Others agree. 'I wouldn't say it's perfectly indestructible, but it is pretty much indestructible,' Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, told Computerworld on Wednesday. 'It does a very good job of maintaining itself.' Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code. But that's not TDL-4's secret weapon. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. 'The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet,' said Roel Schouwenberg, senior malware researcher at Kaspersky. 'The TDL guys are doing their utmost not to become the next gang to lose their botnet.'"

Jurisdiction be damned? Virtual access to data now depends only on who can threaten profitability? in the anti-trust guys at DOJ?

The Patriot Act and the EU Cloud

"Gordon Frazer, managing director of Microsoft UK said that the Patriot Act allows government access to data in its cloud services even in Europe. Though he said that 'customers would be informed wherever possible,' he could not provide a guarantee that they would be informed if a gagging order, injunction or U.S. National Security Letter permits it."

(Related) ...and it's just gonna get worse.

Microsoft: 'We can hand over Office 365 data without your permission'

Hidden within a whitepaper, detailing the security features in the upcoming Office 365 suite, it reveals links to the Trust Center; a treasure trove of data protection policies and legalities of how Microsoft will handle your data in its cloud datacenters.

(Related) Think of this as a way to gain physical access to foreign data.

Chinese City Wants To Build a Censorship-Free Hub

"The city of Chongqing's proposed Cloud Computing Special Zone would be home to 'a handful of state-of-the-art data centers and is designed to attract investment from multinational companies and boost China's status as a center for cloud computing,' writes the IDG News Service's Michael Kan. The part that's drawing the ire of Chinese Internet users: This censorship-free hub would only be for foreign companies."

(Related) Another “Cloud” story that I could also categorize under “It's not a One-Strategy-Fits-All world”

SpyCloud: Intel Agencies Look to Keep Secrets in the Ether

Dropbox for files, Google for mail, iCloud for well, everything. Average citizens have all kinds of options for storing their information in the cloud. Now, spies want in. Soon, our nation’s secrets may take on a slightly more nebulous form.

In-Q-Tel, the investment arm of the CIA and U.S. intelligence community, recently sunk money into a cloud-based storage company called Cleversafe. It says the platform is “ideal for storing mission critical data by addressing the core principles of data confidentiality, integrity and availability.” (Incidentally, those principles also spell out CIA). [So does Cunning if Idiotic Acronym Bob]

This is only one of a series of new government initiatives to move into the cloud. Since last year, the administration has embraced a “cloud first” policy, which encourages cloud-based solutions “whenever a secure, reliable, cost-effective cloud option exists.” The Pentagon is already planning its migration, and the 2011 Cloud Computing Act, expected out in a few weeks, may put in place even more incentives for investing in cloud computing options.

I guess you could call this another jurisdictional question...

Amazon Drops California Associates to Avoid Sales Tax

"Residents of California who participate in the Amazon Associates Program received an email warning them that the program will be terminated as soon as a new California law goes into effect. The law, which CA governor Jerry Brown signed, would require online retailers to collect sales tax on purchases. According to Amazon's statement, 'We oppose this bill because it is unconstitutional and counterproductive. It is supported by big-box retailers, most of which are based outside California, that seek to harm the affiliate advertising programs of their competitors.'"

(Related) So, will this make things “unfriendly” enough to cause Silicon Valley to move to New Jersey? I kinda doubt it.

California targets Kindle lab in Amazon tax spat said today that it's reluctantly severing ties with affiliates in California, a move that it hopes will let it continue shipping products to state residents without collecting sales taxes.

But a little-noticed clause in the legislation that Gov. Jerry Brown, a Democrat, signed into law today gives California tax collectors a second, albeit legally untested, cudgel to use against the Seattle-based company. The law takes effect immediately.

The measure says that any retailer who "through a subsidiary" has any "place of business" in California must collect sales taxes. And--surprise!--Amazon has two subsidiaries in California: A9, in Palo Alto, which works on search technology, and Cupertino-based Lab126, which designed the Kindle and is rumored to be working on much more.

Very high level, but no endorsement for “3 strikes” or similar (that I can see)

June 29, 2011

Organization for Economic Cooperation and Development's proposed online copyright protection plan

OECD draft Communiqué on Principles for Internet Policy-Making, June 29, 2011

  • "The policy-making principles in this communiqué are designed to help preserve the fundamental openness of the Internet while concomitantly meeting certain public policy objectives, such as the protection of privacy, security, children online, and intellectual property, as well as the reinforcement of trust in the Internet. Effective protection of intellectual property rights plays a vital role in spurring innovation and furthers the development of the Internet economy. Internet policy making principles need to take into account the unique social, technical and economic aspects of the Internet environment. It is clear that the open and accessible nature of the Internet needs to be supported for the benefit of freedom of expression, and to facilitate the legitimate sharing of information, knowledge and exchange of views by users including research and development that has brought about widespread innovation to our economies."

  • EFF Declines to Endorse OECD Draft Communiqué on Principles for Internet Policy-Making: "We oppose legal and policy frameworks that encourage Internet intermediaries to filter and block online content or disconnect Internet users under a “graduated response” system after alleged copyright violations. Civil society calls on OECD member states to defend free expression and support due process and procedural safeguards in the protection of intellectual property rights."

Oh no! This theory did not “evolve” it was the result of intelligent design!

Young Darwin’s Marginalia Shows Evolution of His Theory

A trove of books from Charles Darwin’s personal library is now digitized, online and free for all to view. The collection, displaying Darwin’s scrawled-in-pencil marginalia, tantalizingly reveals his thought process as he developed the theory of evolution.

It's like free crack...

World of Warcraft Goes Free With Starter Edition

"Blizzard Entertainment has announced that its enormously popular online role-playing game World of Warcraft will be free to play for characters up to level 20. WoW has always offered free trials of one of the world's biggest multi-player online games but previous offers have always been limited to a set number of days. The new policy means that first-time visitors to Azeroth will be able to build an unlimited number of characters and classes up to level 20 at their leisure, although there will be some limitations."

Free is good.

6 Live Professional News Streams You Can Watch Online For Free

Al Jazeera




NHK World


Everyone has an opinion

107 Best Websites On The Web

Wednesday, June 29, 2011

Now we will be treated to swarms of “journalists” trying to interpret the raw data out of any context.

Hackers: Here's Zimbabwe, Brazil, UMG, Viacom data

Hackers today released data they said was from the governments of Zimbabwe and Brazil, entertainment giants Universal Music Group and Viacom, and a municipal government in Australia.

Meanwhile, the Anonymous group also reportedly temporarily shut down a tourism Web site for Orlando, Fla., with a distributed denial-of-service (DDoS) attack today to protest the arrest of Food not Bombs volunteers for serving food in public in Orlando without a permit.

The “Harrisburg Project” (subcontractor to the state) released this data originally. Did they not know what was on the laptops or did they just lie?

(update) Laptops stolen from a contractor’s van had a slew of sensitive student data

June 29, 2011 by admin

Remember the Illinois State Board of Education laptops stolen from a Harrisburg Project van recently? I was reading more about the incident and noticed that there was even more sensitive data on the laptops than originally indicated in media coverage:

The staff data stored on the computers included name, demographics, Social Security number, teacher certification number and work assignment. The student data included resident school district, birth date, name, student identification number, Social Security number, student’s identified disability, bilingual special education and other information.

And Social Security Numbers were being used in student files…. why?

Read more on Beacon News and remember that the federal government wants to compile and track even more data on students. Oh yeah, what could possibly go wrong?

I thought this might be an “Executive Privilege” argument, but apparently the just didn't want to be bothered...

Texas Official Must Talk About Data Leaks

June 29, 2011 by admin

David Lee reports:

A state judge ordered the Texas Comptroller of Public Accounts to comply with a request for a deposition on the leak of personal information of more than 3.5 million people.

Comptroller Susan Combs disclosed in April that the personal information of 3.5 million state employees and former employees had been stored on a publicly accessible computer server for about a year.

Travis County Judge Rhonda Hurley ruled on Monday that Combs must submit to questions about the leak from the Texas Civil Rights Project.

Read more on Courthouse News. Combs has indicated that she will appeal the ruling.

[From the Courthouse News article:

"The court finds that the likely benefits of allowing the depositions to investigate a potential claim outweigh the burden or expense of the procedure,"

Not creating privacy, but perhaps this lawyer sees where companies are overreaching and can be pushed back?

Keen On… Michael Fertik: Why People Will Pay for Privacy (TCTV)

Will people pay for online privacy? Yes, they will – at least according to Michael Fertik, the founder and CEO of, one of the early leaders in the new online privacy ecosystem. Indeed, Fertik believes that privacy is the next big thing in the online economy – a necessary antidote to Reid Hoffman’s Web 3.0 economy of pervasive personal data.

We can learn from failure...

Sean Parker On Why Myspace Lost To Facebook

With reports of social network Myspace about to sell for ~$30 million, the tech world eagerly awaits the HBS study for why the service, which was bought in 2006 by Newscorp for $580 million and was at some point valued at $1.5 billion (a quote in a Business Week article referred to it as “one of the best acquisitions ever”) ultimately failed.

… at minute 20:54 Fallon asks Parker, “Where did Myspace go wrong?”

“The failure to execute product development,” Parker replies. “They weren’t successful in treating and evolving the product enough, it was basically this junk heap of bad design that persisted for many many years. There was a period of time where if they had just copied Facebook rapidly, they would have been Facebook. They were giant, the network effects, the scale effects were enormous.”

Google goes Social? Bummer..

June 28, 2011

Introducing the Google+ project: Real-life sharing, rethought for the web

Official Google Blog: "Among the most basic of human needs is the need to connect with others. With a smile, a laugh, a whisper or a cheer, we connect with others every single day. Today, the connections between people increasingly happen online. Yet the subtlety and substance of real-world interactions are lost in the rigidness of our online tools. In this basic, human way, online sharing is awkward. Even broken. And we aim to fix it. We’d like to bring the nuance and richness of real-life sharing to software. We want to make Google better by including you, your relationships, and your interests. And so begins the Google+ project..."


Jive: 53 Percent Of Execs Believe They Must Adopt Social Business Or Risk Falling Behind

Social enterprise giant Jive is releasing a study today, called the Jive Social Business Index, which surveyed 902 US‐based executives at large and mid-sized companies on their views of social in the enterprise.

The study revealed that Social Business is increasingly perceived as a strategic executive imperative in the enterprise, with 78 percent of the executives surveyed admitting that having a social strategy is critical to the future success of their businesses.

You don't own the game. When they “Sell” it you you, you should bring your IP lawyer...

Capcom Crushes Retail Value of 3DS Resident Evil With Permanent Saved Game

When you open your brand-new copy of Resident Evil: The Mercenaries 3D on Tuesday, you may find something interesting in the manual.

“Note: Saved data on this software cannot be reset,” you are warned. When you play the game and your progress is saved, there is no way to take it back. That is your game forever.

Let me explain why this is so infuriating if you’re unclear on just how hostile this is to gamers. Once you’ve beaten the game, you can’t erase your progress and start over. If you want to loan the game to a friend, they won’t be able to start their own game from the beginning. You may be able to trade the game into a store or sell it, but I wouldn’t suggest buying it from someone used, since you won’t be able to start from the beginning and unlock all the content yourself.

Vendors dictating IT strategy. “We don't want our nice new software running on that old clunky hardware.” (and since we make that hardware, we'll be happy to sell you some new stuff.)

Oracle Shuts Older Servers Out of Solaris 11

"The Register is reporting that Oracle has decided not to allow Solaris 11 to install on older Sparc hardware, including UltraSparc-I, UltraSparc-II, UltraSparc-IIe, UltraSparc-III, UltraSparc-III+, UltraSparc-IIIi, UltraSparc-IV, and UltraSparc-IV+ processors. The Solaris 11 Express development version released in November did not have this restriction, which suggests that the OS would likely run on these models. Unfortunately, the installer won't. All generations of Sparc T series processors and Sparc Enterprise M machines will be able to install and run Solaris 11, however."

Does this seem to push copyright a bit too far? If I had a drawing of R2D2 would I be in violation?

Paramount Cease and Desist Targets 3D Printer ‘Pirate’

… Blatt makes digital models of the items he sees in movies and sends them off to 3D printing site Shapeways. They recreate the items in a range of materials from plastic to metal and offer them for sale online.

… On June 8th Blatt announced on movie prop fansite that he was recreating the distinctive cube-shaped items from the Stephen Spielberg movie ‘Super 8‘. On June 9th he uploaded the files to Shapeways.

By June 10th, Blatt had received unwelcome contact from Hollywood lawyers and all his posts on theRPF were quickly edited out.

Terminology change: “Frequent Flyers” will henceforth be known as “Frequent Fryers”...

June 28, 2011

EPIC v. DHS Lawsuit -- FOIA'd Documents Raise New Questions About Body Scanner Radiation Risks

EPIC: "In a FOIA lawsuit against the Department of Homeland Security, EPIC has just obtained documents concerning the radiation risks of TSA's airport body scanner program. The documents include agency emails, radiation studies, memoranda of agreement concerning radiation testing programs, and results of some radiation tests. One document set reveals that even after TSA employees identified cancer clusters possibly linked to radiation exposure, the agency failed to issue employees dosimeters - safety devices that could assess the level of radiation exposure. Another document indicates that the DHS mischaracterized the findings of the National Institute of Standards and Technology, stating that NIST "affirmed the safety" of full body scanners. The documents obtained by EPIC reveal that NIST disputed that characterization and stated that the Institute did not, in fact, test the devices. Also, a Johns Hopkins University study revealed that radiation zones around body scanners could exceed the "General Public Dose Limit." For more information, see EPIC: EPIC v. Department of Homeland Security - Full Body Scanner Radiation Risks and EPIC: EPIC v. DHS (Suspension of Body Scanner Program)."

Free is good.

Five Desktop Tools To Create Excellent Windows Environment

File Repair

File Repair software is a powerful tool to repair your corrupted files. It scans the damaged file and extracts maximum data from it to a new usable file. You can repair word documents, excel spreadsheets, zip, rar, selected video formats, pdf, etc.

Cryogenic FileSplitter

This is a simple application written in C# by which you can split large files into several pieces to transfer them easily over Internet.


USBFlashCopy is a small Windows utility to back up your flash drives and storage cards on the fly. It runs in the background and copies files from inserted media to a safe location on your hard drive. USBFlashCopy copies only newer or updated files, you can optionally keep old versions of the files.

Appnimi ZIP Password Unlocker

Appnimi ZIP Password Unlocker is designed to let you search for passwords of protected ZIP files. This program guarantees the most complicated passwords recovery. Appnimi ZIP Password Unlocker allows to search for the password of the protected ZIP file using Brute Force algorithm. After recovering the password it will extract the files to a destination folder.

Driver Magician Lite

Driver Magician Lite is freeware, it identifies all the hardware in the system, extracts their associated drivers from the hard disk and backs them up to a location of your choice. Then when you format and reinstall/upgrade your operating system, you can restore all the “saved” drivers just as if you had the original driver diskettes in your hands.

Free is good.

2nd Edition of Learn Python the Hard Way Released

"Are you or your kid intrigued by Python, but not quite ready to purchase an in-depth O'Reilly book? Zed A. Shaw's 2nd edition of Learn Python The Hard Way may be a friendlier option. Shaw's path to Python programming is simple: 1. Go through each exercise, 2. Type in each sample exactly, 3. Make it run. If $60 for the hardcover is too much to ask, or $15.99 for paperback, you can spend a measly buck for the PDF/ePub download. Still too steep? OK, there's even a free online HTML edition. After completing the 52 exercises, Shaw's concluding Advice From An Old Programmer says, 'Which programming language you learn and use doesn't matter. Do not get sucked into the religion surrounding programming languages as that will only blind you to their true purpose of being your tool for doing interesting things.'"

Tuesday, June 28, 2011

Are we now reaching Carl Sagan levels of data breach? “BIL-yons and BIL-yons...”

Groupon leaks entire Indian user database

June 27, 2011 by admin

Patrick Gray writes:

The entire user database of Groupon’s Indian subsidiary was accidentally published to the Internet and indexed by Google.

The database includes the e-mail addresses and clear-text passwords of the site’s 300,000 users. [So, not yet BIL-yons... Bob] It was discovered by Australian security consultant Daniel Grzelak as he searched for publicly accessible databases containing e-mail address and password pairs. [Note: No hacking skills required Bob]

Grzelak used Google to search for SQL database files that were web accessible and contained keywords like “password” and “gmail”.


The company’s statement to users is cited in a Gadgets.ndtv article.

[From the Risky Biz article:

As a side project, he created, a website that allows any Internet user to search a database of known-compromised e-mail address and password pairs to see if their password has been compromised.

[From the Gadgets article:

As per legal regulations, credit card, debit card and netbanking data is not stored in SoSasta's database and hence that data was not compromised. [Perhaps we need a similar law in the US? Bob]

Oh what fun! Perhaps we will learn how governments and organizations should react to such threats...

Anonymous Declares War On The City Of Orlando

The hacktivist group Anonymous may be setting its sights on the city of Orlando, Florida next, if an anonymous press release which has landed in our inbox is to be believed (see bellow). The group is threatening to take down a different city-related website every day, starting with Orlando Florida Guide, which doesn’t even appear to be owned by the city of Orlando (it is registered to an organization called Utopia, administered by a man named Steven Ridenour). So any random website extolling the virtues of Orlando could be targeted.

This looks like a challenge to hackers...

Sony: Brand perception 'clearly improving again'

Sony CEO Howard Stringer had an upbeat attitude during his company's annual shareholders meeting today, saying that the firm's brand is on the upswing following the PlayStation Network security breach, the Associated Press is reporting.

"Our brand perception, you'll be happy to know, is clearly improving again," Stringer reportedly told investors during the meeting. He went on to point out that 90 percent of Sony's PlayStation Network users have come back to the service. [Dude! We only lost 10% of our business! Are we good or what? Bob]

Oh joy. Check your backups and pray.

Rootkit Infection Requires Windows Reinstall

"Microsoft is telling Windows users that they'll have to reinstall the OS if they get infected with a new rootkit. A new variant of a Trojan Microsoft calls Popureb digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, Chun Feng, an engineer with the Microsoft Malware Protection Center (MMPC), said last week on the group's blog. 'If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR and then use a recovery CD to restore your system to a pre-infected state,' said Feng. A recovery disc returns Windows to its factory settings."

Something for my lawyer friends to debate? Will there be an Audit Trail to prove or disprove that something failed? If not, isn't that a failure? (Business Opportunity: Add-on Audit Trail)

When Active-Safety Systems Fail, Who Pays?

It’s an intriguing, and increasingly relevant, question as automakers pack their cars with ever more electronic nannies and the government ponders requiring things like back-up cameras. Semiautonomous systems are becoming more common as our cars do everything from keep us in our lanes to prevent us from hitting pedestrians. If any of these systems should fail, how would an insurance company deal with it?

It acts like malware, but it's merely Facebook being Facebook. After all, it's their ball and you have to play be their rules.

Facebook Blocks KDE Photo App, Deletes Users' Pics

"KDE users have gotten a rather unpleasant surprise from Facebook: Not only is the site blocking KDE apps like Gwenview from uploading, the social media giant has also taken down photos uploaded with the KDE plugins. Yet another reason that users might think twice before depending on Facebook for photo storage."

We are a search company, so when the government wants evidence, who they gonna call?”

Google turns over user data in 94% of US demands

June 27, 2011 by Dissent

Dan Goodin reports:

The US government filed more than twice as many demands for data about Google users than another other country in the past six months, according to figures the search behemoth supplied Monday. What’s more, according to the Google Transparency Report, Google fully or partially complied with the US demands in 94 percent of the cases, a rate that was higher than responses to any other government.

Read more on The Register.

(Related) Tools for those who don't want to wait for Google... (and possible jobs for my Ethical Hackers?)

Lawful Interception: Technology that is legally watching you

… The following is an outline of just some of the companies who develop and distribute interception and intrusion technologies to law enforcement and government intelligence services.

ELAMAN is German-based firm that specializes in security and communications monitoring.

… they offer law enforcement and governments the ability to intercept “…all kinds of communication within different telecommunication networks and carriers inside and outside a country’s borders.”

Security Software International (SSI)

They offer tactical and strategic intelligence solutions to governments and law enforcement.

… They offer the ability to monitor more than 200 different network nodes (switches, routers, gateways, application servers) developed by all of the top vendors. In addition, their LIMS offering enables real-time monitoring of telephony, fax, SMS, MMS, e-mail, VoIP, Push-to-Talk and other IP-based communication services.

Shield Security

Not much is known about this company. Their name originally appeared in Spam leaked from HB Gary and HB Gary Federal after the attack by Anonymous.

Located in the U.K., they deal with the government only, and offer a range of surveillance and monitoring products.

Intercept Monitoring Solutions (Discovery Telecom Technologies)

The company mantra says it all. “While others talk, we intercept.”

Shoghi Communications Ltd.

Focused on communications and signals intelligence, this firm is located in northern India, rather close to Pakistan.

Utimaco (Sophos Group)

There are plenty of documents available for Utimaco’s Lawful Interception Management System.

Group 2000

Group 2000 offers LIMA to law enforcement and intelligence services when they need to monitor communications.


VUPEN is known for exploit and vulnerability research. When they discover a flaw, they often tell the vendor last (if at all), but offer protection from the zero-day threats to customers who subscribe to their services.

Access to VUPEN’s custom Malware and exploits is highly restricted. Only countries, members, or partners of NATO, ANZUS and ASEAN can take part.

Gamma International

Their website, seen here, contains only the basics, and emails from the public are ignored. When it comes to those they work with, the client list is restricted to intelligence and law enforcement.

Hacking Team

Located in Milano, Italy, Hacking Team is another company that many outside of the intelligence and law enforcement world might not know. They offer both offensive and defensive security services to clients, including penetration testing.


Based on emails leaked after the Anonymous attack, HBGary can be counted as an intrusion vendor. They developed a rootkit that is able to “exfiltrate information past personal firewalls without detection” noting that the elegance of their rootkit’s design means more reliability and less detection footprint.

Information on HBGary’s other offerings to law enforcement and intelligence agencies can be seen here.

Endgame Systems

Endgame offers the government subscription-based solutions. One of them, called Maui in company documents, includes vulnerability research, as well as custom exploit toolkit development. It isn’t cheap however, with prices reaching more than $2.5 million dollars per year.

Let me help you surveil me...

June 27, 2011

Consumer Groups Recommend Privacy Safeguards on "Smart Meter" Services

EPIC: "The Trans-Atlantic Consumer Dialogue (TACD), a coalition of consumer groups in Europe and North America, adopted a report on privacy and electrical services at the 12th Annual TACD meeting held recently in Brussels. The Smart Meter White Paper warns the "dramatic increase in the granularity of data available and frequency of collection of household energy consumption means that the smallest detail of household life can be revealed." The TACD report sets out recommendations to protect the privacy of users of new energy services. For more information, see EPIC - Smart Grid and Privacy."

Should be very popular! Gives congressmen the ability to have quality face-time with their constituents without actually having to be near them...

The U.S House Of Representatives Can Now Use Skype’s Video Calling Service

… Today, the U.S. House of Representatives is announcing that members of Congress will be able to use Skype’s videoconferencing technology on government computer systems.


Microsoft patent raises concerns - Will Skype have a backdoor?

Nothing muddies up the water like a lawyer answering a direct question. In this case, “Can the police search my computer” is answered: Yes, No, Maybe, Except for, Unless, and It depends... All at the same time.

June 27, 2011

Know Your Digital Rights guide from EFF

Know Your Rights! by Hanni Fakhoury, EFF Staff Attorney, June 2011

  • "Your computer, your phone, and your other digital devices hold vast amounts of personal information about you and your family. This is sensitive data that’s worth protecting from prying eyes — including those of the government. The Fourth Amendment to the Constitution protects you from unreasonable government searches and seizures, and this protection extends to your computer and portable devices. But how does this work in the real world? What should you do if the police or other law enforcement officers show up at your door and want to search your computer? EFF has designed this guide to help you understand your rights if officers try to search the data stored on your computer or portable electronic device, or seize it for further examination somewhere else. Because anything you say can be used against you in a criminal or civil case, before speaking to any law enforcement official, you should consult with an attorney."

Not yet sure how I'll use this.

Google Quietly Rolls Out A Range Of Google Product Results On One Page

For those times when you can't locate a geek...

Tildee - Create, Share, and Find Tech Tutorials

Tildee is a good site for creating, sharing, and locating tutorials for all kinds of technology-related things. Tildee provides a template and platform for sharing tutorials with others. Each tutorial you create is assigned a specific url that you can share with anyone. Your tutorials can include any combination of text, screen captures, and videos. Each tutorial that you create on Tildee is assigned a unique URL that you can share wherever you like.

Even if you don't use Tildee to create a tutorial yourself you can still use the site. You can browse or search the gallery of public tutorials to find one suits your needs.

I know this is a concern for many of my students...

Are Fake Geeks Dooming Real Ones?

"In the wake of the Best Buy 'geek' trademarking and Miss USA calling herself 'a huge history geek,' writer (and self-proclaimed geek) Eryn Green has an interesting piece for Esquire on how so-called 'geek chic' is pervading the culture so much that no one appreciates an actual geek anymore. From the article: 'The difference between brains and beauty is that you're more or less born into good looks — entitled, if you will. Intelligence? That takes work. If the hallmark of real geekiness — of America — is determination, then we seem too determined to have an entitlement problem.'"

[To avoid confusion, I suggest the following tests:

For all my “Frequent Flyer” friends. This should stir things up a bit...

Cancer Cluster Possibly Found Among TSA Workers

"TSA employees at Logan International Airport believe they have identified a cancer cluster in their ranks, according to documents obtained under the Freedom of Information Act and released by the Electronic Privacy Information Center. They have requested dosimetry to counter 'TSA's improperly non-monitored radiation threat.' So far, at least, they have not received it. The documents also reveal a paper from Johns Hopkins that essentially questions whether it is even safe to stand near an operating scanner, let alone inside one. Also, the National Institute of Standards and Technology says that the Dept. of Homeland Security 'mischaracterized' their work by telling USA Today that NIST affirmed the safety of the scanners when in fact NIST does not do product safety testing and never tested a scanner for safety."