Friday, July 07, 2006

July 7, 2006

Oh Lord, let me live long enough to see this happen! (Remember this every April 15th)

http://www.gbj.com/content.cfm?Action=story_detail&StoryID=1635

Say goodbye to the IRS

Interview by Christopher Lancette

Seventh district congressman John Linder (R-Ga.)... ...is also the author of the FairTax, legislation that would change the U.S. tax system.

... Currently, the average taxpayer gives the government 33 cents of every dollar they earn. In our system, they would give the government 23 cents of every dollar they spend. [Great! Bob] Then we would provide to every household - every household - a cash distribution at the beginning of every month that would totally untax them up to poverty-level spending. [Huh? Potentially stupid! Bob]



Might be interesting to see what's happening in other states...

http://www.9news.com/acm_news.aspx?OSGNAME=KUSA&IKOBJECTID=4118bdd0-0abe-421a-005b-c4243d004688&TEMPLATEID=0c76dce6-ac1f-02d8-0047-c589c01ca7bf

State: Thousands of Social Security numbers stolen

posted by: Jeffrey Wolf Web Producer Created: 7/5/2006 5:49 PM MST - Updated: 7/5/2006 10:30 PM MST

DENVER - Thousands of people have had their Social Security numbers stolen and then used by others to get jobs in Colorado.

State labor chief Rick Grice says he discovered the thefts when he asked his computer experts to check Social Security numbers filed by major employers for worker's compensation insurance.

There were 2,200 cases where a single number was used six or more times. One Social Security number was provided by 57 different employers.

... He also says that employers are not document experts. "The fraudulent market is huge. It's easy to reproduce a Social Security card. That's not an employer's responsibility. Employers can't do anything about that black market," said Buono.

Identity theft has been a growing concern, leading to the lawmakers this year to pass a law making such an offense a felony punishable by up to six years in prison. It was signed by Owens in May.

Video: http://www.9news.com/includes/buildasx.aspx?fn=http://wm.kusa.gannett.edgestreams.net/news/1152159957329-07-05-06-ssn-10p1.wmv&sp=http://wm.kusa.gannett.edgestreams.net/ads/sales/pre-stream/elite-may06.wmv



http://www.prweb.com/releases/2006/7/prweb408169.htm

Top Financial Regulator Confirms Data Theft

Download this press release as an Adobe PDF document.

Boca Raton, FL (PRWEB)July 6, 2006 - The NASD, formerly known as The National Association of Securities Dealers has confirmed a burglary in its local offices resulting in the theft of 10 lap top computers. Though the burglary occurred on February 24, 2006, the regulator made no public mention of the breach until confronted with a Police Report on June 30th – over four months later.

The theft was uncovered by financial services executive and author Rogan LaBier, when investigating a rumor that such a breach had occurred. [Rumors got to outsiders before the managers responsible for security knew it? Bob] "It's potentially devastating" said LaBier, in an article sent to subscribers of a private newsletter. He also posted the Police Report and other documentary evidence to his website.

In a June 30th conversation with LaBier, NASD spokesperson Herb Perone confirmed that the break in did occur, but said that "there was no personally identifiable customer account information contained in the stolen lap tops." Perone also noted that because of this, "no notices were sent to individuals."

But LaBier found at least one individual who did receive a written notice from the NASD, reporting that his social security number, among other confidential records, was contained in one of the laptops stolen in the Boca Raton heist. The letter also states that the laptops were "password protected", and that gaining access "would require an unauthorized user to reformat the hard drive, [absolute nonsense Bob] or use special software to bypass the computers operating system." [like Knoppix, free and downloadable from the Internet Bob]

On July 3rd, LaBier spoke with Perone again. He questioned whether individual account records were in fact contained in those lap tops, and if so, how many. He also asked if the NASD was relying on the password protection in claiming that "no personally identifiable customer account information was contained on those computers." The Spokesman said he would get back to LaBier with an answer, but at this time, the NASD has still not commented.

According to Privacy experts, the relative strength of password protection is questionable. Doug Rehman, a retired Special Agent in the Florida Department of Law Enforcement and President of Rehman Technology Services in Mount Dora, Florida told LaBier "A password protection system is only as secure as the password is complex. Windows XP, for example, offers pretty much zero protection. Other systems can be nearly impossible to crack. If the passwords are less than eight characters long, professional software can crack those in a couple of days. Many users choose common or simple passwords, or keep the current passwords readily accessible, on post it notes, for example."

Just how many individuals may have had personal, confidential information on the stolen computers remains to be seen.

"What is so troubling," says LaBier, "is not so much the fact that the computers were stolen. It is that the NASD made the conscious decision to not reveal this theft to the public, and further, to create a response that might mislead the public to believe that no confidential financial information had actually been stolen. And apparently, nothing has been done about the incident other than working with local law enforcement, which considers the case inactive."

The NASD's Website describes the regulatory organization as "the primary private-sector regulator of America's securities industry... The NASD licenses individuals and admits firms to the industry, writes rules to govern their behavior, examines them for regulatory compliance and disciplines those who fail to comply."

The Boca Raton Police Department detective in charge of the investigation into the burglary believes that it was conducted for the lap tops themselves, and not for data contained in them. According to the Police Report, the perpetrators defeated the alarm system and several video surveillance cameras, [Yep, clearly amateurs... Bob] targeting the laptops and their power cords. The case is currently considered inactive. Whether or not the computers have made it into the hands of individuals capable defeating the password protection remains to be seen.

NASD's letter to Theft Victim Letter from NASD confirming the burglary of victim's confidential data. Uploaded: Jul 6, 2006

Police Report (pdf) This is the first page summary of the Boca Raton Police Department's report of the burglary. Uploaded: Jul 6, 2006 [Note that business and home phones are included Bob]



But never fear, the FBI is there to protect you! Their expertise is legendary, their security invincible!

http://www.washingtonpost.com/wp-dyn/content/article/2006/07/05/AR2006070501489.html

Consultant Breached FBI's Computers

Frustrated by Bureaucracy, Hacker Says Agents Approved and Aided Break-Ins

By Eric M. Weiss Washington Post Staff Writer Thursday, July 6, 2006; Page A05

A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.

The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars [obviously not a “per incident” budget Bob] to ensure no sensitive information was lost or misused.

The government does not allege that the consultant, Joseph Thomas Colon, intended to harm national security. But prosecutors said Colon's "curiosity hacks" nonetheless exposed sensitive information.

Colon, 28, an employee of BAE Systems who was assigned to the FBI field office in Springfield, Ill., said in court filings that he used the passwords and other information to bypass bureaucratic obstacles and better help the FBI install its new computer system. And he said agents in the Springfield office approved his actions.

The incident is only the latest in a long string of foul-ups, delays and embarrassments that have plagued the FBI as it tries to update its computer systems to better share tips and information. Its computer technology is frequently identified as one of the key obstacles to the bureau's attempt to sharpen its focus on intelligence and terrorism.

An FBI spokesman declined to discuss the specifics of the Colon case. But the spokesman, Paul E. Bresson, said the FBI has recently implemented a "comprehensive and proactive security program'' that includes layered access controls and threat and vulnerability assessments. Beginning last year, all FBI employees and contractors have had to undergo annual information security awareness training.

Colon pleaded guilty in March to four counts of intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States. He could face up to 18 months in prison, according to the government's sentencing guidelines. He has lost his job with BAE Systems, and his top-secret clearance has also been revoked.

In court filings, the government also said Colon exceeded his authorized access during a stint in the Navy.

While documents in the case have not been sealed in federal court, the government and Colon entered into a confidentiality agreement, [so, we could get a set of instructions from the court? Bob] which is standard in cases involving secret or top-secret access, according to a government representative. Colon was scheduled for sentencing yesterday, but it was postponed until next week.

His attorney, Richard Winelander, declined to comment.

According to Colon's plea, he entered the system using the identity of an FBI special agent and used two computer hacking programs found on the Internet to get into one of the nation's most secret databases.

Colon used a program downloaded from the Internet to extract "hashes" -- user names, encrypted passwords and other information -- from the FBI's database. Then he used another program to "crack" the passwords by using dictionary-word comparisons, lists of common passwords and character substitutions to figure out the plain-text passwords. Both programs are widely available for free on the Internet. [see why passwords are not secure enough? Bob]

What Colon did was hardly cutting edge, said Joe Stewart, a senior researcher with Chicago-based security company LURHQ Corp. "It was pretty run-of-the-mill stuff five years ago," Stewart said.

Asked if he was surprised that a secure FBI system could be entered so easily, Stewart said, "I'd like to say 'Sure,' but I'm not really. They are dealing with the same types of problems that corporations are dealing with."



Complex investigation leads to complex litigation?

http://www.theregister.co.uk/2006/07/06/90_days_terror_law_analysis/

Drowning in data - complexity's threat to terror investigations

By John Lettice Published Thursday 6th July 2006 14:03 GMT

Analysis A Home Affairs Committee report into police detention powers, published earlier this week, concludes that police powers to hold terror suspects without charge will need to be extended from 28 days to 90 days - and, once the flimsier justifications (e.g. time needed for prayers) have been stripped out, technology is largely to blame. The Committee, which has an impressive track record of criticising the Government but somehow ending up agreeing with it anyway, takes into account the international nature of current terrorist threats, the security services' need to mount 'pre-emptive' operations in order to 'protect the public', encryption, the burden of data analysis, and the logistics of forensics in general in order to come to its conclusions.

... It's fairly easy to see how one facet of the problem, volume of cases, grows like topsy. The Forest Gate raid is by no means the only case where resource-intensive raids and arrests have been based on doubtful tips and flimsy evidence, and while for reasons of sub judice we can't go into many of these cases in any great depth, published data on the charges that have been brought is surely significant. Few terrorism arrests lead to terrorism charges, and in the case of 'Islamist' category arrests, the charges ultimately brought are often immigration, credit card or ID fraud related. People are pulled in because the security forces believe they 'might' be terrorists, 'might' be about to launch a huge chemical, biological, nuclear attack, 'might' be suicide bombers.

... * One gotcha of the arguments (bizarrely, they can all agree but still have arguments) is that the more publicity the issue gets, the more likely terror groups are to use encryption. Few do at the moment, and security awareness among Islamist groups (even the allegedly experienced ones) is frequently low. Another gotcha arises as and when encryption is widely used. If it's poor and badly set up, then it's easy to crack and you don't need the key. If it's properly set up, as Professor Ross Anderson put it to the Committee you either guess the password or give up. No amount of analysis time will have any bearing on this, and as far as the encryption issue goes, 90 days is neither here nor there.

Related stories

Homebrew chemical terror bombs, hype or horror? (4 June 2006)
http://www.theregister.co.uk/2006/06/04/chemical_bioterror_analysis/
DoJ pushes data retention on ISPs (1 June 2006)
http://www.theregister.co.uk/2006/06/01/feds_need_ip_data/
Government wants encryption key offence in force (19 May 2006)
http://www.theregister.co.uk/2006/05/19/ripa_enforcement/
CIA defends unaccountable snooping (18 May 2006)
http://www.theregister.com/2006/05/18/cia_snooping/
MoD opens doors on counter-terrorism lab (10 April 2006)
http://www.theregister.co.uk/2006/04/10/mod_terror_lab/
NSA searches for advanced data mining tech (27 February 2006)
http://www.theregister.co.uk/2006/02/27/nsa_silicon_valley_shopping/
Lords restrict terror website censorship plans (6 February 2006)
http://www.theregister.co.uk/2006/02/06/lords_restrict_terror_censorship/
EC outlines anti-terror database measures (28 November 2005)
http://www.theregister.co.uk/2005/11/28/anti_terror_databases/
Home Office plans for science to tackle terror (23 November 2005)
http://www.theregister.co.uk/2005/11/23/science_vs_terrorism/
Clarke calls for ID cards after imagining huge poison terror ring (14 April 2005)
http://www.theregister.co.uk/2005/04/14/wood_green_ricin_case/



http://lsolum.blogspot.com/archives/2006_07_01_lsolum_archive.html#115219172682391539

Litman on the Economics of Open-Access

Jessica Litman (University of Michigan) has posted The Economics of Open-Access Law Publishing (Lewis & Clark Law Review, Forthcoming) on SSRN. Here is the abstract:

... Law journal publishing is one of the easiest cases for open access publishing. Law scholarship relies on few commercial publishers. The majority of law journals depend on unpaid students to undertake the selection and copy editing of articles. Nobody who participates in any way in the law journal article research, writing, selecting, editing and publication process does so because of copyright incentives. Indeed, copyright is sufficiently irrelevant that legal scholars, the institutions that employ them and the journals that publish their research tolerate considerable uncertainty about who owns the copyright to the works in question, without engaging in serious efforts to resolve it. At the same time, the first copy cost of law reviews is heavily subsidized by the academy to an extent that dwarfs both the mailing and printing costs that make up law journals' chief budgeted expenditures and the subscription and royalty payments that account for their chief budgeted revenues. That subsidy, I argue, is an investment in the production and dissemination of legal scholarship, whose value is unambiguously enhanced by open access publishing.



http://www.bespacific.com/mt/archives/011739.html

July 06, 2006

Copyright Law, Second Edition

Federal Judicial Center: Copyright Law, Second Edition, 2006, 241 pages.

  • "This monograph provides a concise overview of the law of copyright from its origins in the English common law through recent Supreme Court cases, designed to provide judges with a grounding in the essential concepts and statutory and case law in this specialized area. The monograph covers the duration and renewal of copyright, ownership of copyright, copyright formalities, as well as jurisdictional and procedural issues and the preemption of state law by federal copyright statutes. New material in this second edition includes updated case law, including Internet copying and music downloading; the Digital Millennium Copyright Act; judicial interpretation of Copyright Office regulations, decisions, and practices; and expanded coverage of contributory and vicarious liability, increasingly invoked by plaintiffs in infringement cases. The monograph covers developments in case law through May 1, 2006."



http://lsolum.blogspot.com/archives/2006_07_01_lsolum_archive.html#115213739578806519

Fowler, Johnson, Spriggs, Jeon, and Wahlbeck on Network Analysis of Supreme Court Precedents
James H. Fowler , Timothy R. Johnson , James F. Spriggs , Sangick Jeon and Paul J. Wahlbeck (University of California, Davis , University of Minnesota , Washington University, St. Louis - College of Arts & Sciences , University of California, Davis and George Washington University) have posted Network Analysis and the Law: Measuring the Legal Importance of Supreme Court Precedents on SSRN. Here is the abstract:



Better than “My dog ate my homework?”

http://news.com.com/2100-1028_3-6091457.html?part=rss&tag=6091457&subj=news

Police blotter: SBC sued over deleted screenplay

By Declan McCullagh Story last modified Fri Jul 07 06:09:49 PDT 2006

Police blotter is a weekly CNET News.com report on the intersection of technology and the law.

What: An aspiring writer sues SBC (now AT&T) after a technician installing a DSL link allegedly deleted three screenplays from his computer.

When: A California appeals court ruled on July 5.

Outcome: Screenwriter basically gets no money.

What happened, according to court documents:

When Nicholas Boyd asked SBC to install a digital subscriber line (DSL), he got more than he bargained for.

In December 2000, a technician named James Kassenborg showed up, allegedly said that certain icons and files were not needed--and deleted all of Boyd's scripts and related projects when installing the connection.



http://www.bespacific.com/mt/archives/011734.html

July 06, 2006

Commentary on Style and Substance in Website Writing and Design

Putting the White Back in Strunk and White, by Christina Wodtke. "Style and appropriateness may seem like an odd duo, but they are not. Style is the natural result of the over-abundance of energy and unique perspective a designer—creative person—is gifted and cursed with. Appropriateness is what helps them guide it in its application."



Fighting fire with gasoline? Won't this result in a “how to” manual?

http://www.bespacific.com/mt/archives/011743.html

July 06, 2006

Government Funds Law School Analysis of Sensitive Gov't Docs.

USAToday.com reported that "the federal government will pay a Texas law school $1 million to do research aimed at rolling back the amount of sensitive data available to the press and public through freedom-of-information requests. Beginning this month, St. Mary's University School of Law in San Antonio will analyze recent state laws that place previously available information, such as site plans of power plants, beyond the reach of public inquiries."



Isn't it a bit early to panic?

http://techdirt.com/articles/20060706/1030224.shtml

eBay Says You Can't Trust Google Checkout; Bans It From eBay

from the a-little-competitive-fun dept

When Google released its Checkout offering last week, there was a lot of discussion over whether or not it was a Paypal competitor. Most people agreed that while it did some of the same things, it was really targeting a different market. Even eBay made some statements to that effect. However, eBay's actions suggest that they actually are quite worried about Checkout. They've now banned eBay sellers from using Google Checkout, claiming that it's not trustworthy, since Google does not have a "substantial historical track record of providing safe and reliable financial and/or banking related services." That seems like a pretty weak statement. If they just want to block out a competitor, that's one thing. However, claiming that Google isn't trustworthy enough in financial transactions is clearly the company just coming up with a random excuse to hide behind to avoid admitting that they're actually worried about the new competition from a big player.



http://techdirt.com/articles/20060707/030216.shtml

Wiki Demonstrates How Yellow Pages Are Obsolete -- Gets Sued For Its Efforts

from the yeah,-people-must-be-confused dept

It really is amazing that the yellow pages business directory business is still as strong as it is. In the age of the internet, selling ads in phone books is still a multi-billion dollar business -- though, those in the business must realize it's at risk. While millions of the books are distributed, sooner or later advertisers are going to wake up to the fact that most of these books are a complete waste, likely only to be thrown out (if touched at all). There are ways that yellow pages providers can move into the internet age (and a few are trying), but it seems there are going to be a few speedbumps along the way. The world's largest yellow pages publisher, Yell, who made about $2.4 billion last year has apparently unleashed its legal attack dogs against Yellowikis, a volunteer wiki-based yellow pages directory that lost a grand total of $500. The company is, of course, claiming trademark infringement, but it's hard to see how "yellow pages" can't be considered a generic term at this point. Furthermore, it seems incredibly unlikely that there's any confusion (which is what trademark law is supposed to be about: preventing consumer confusion) about the fact that Yell has absolutely nothing to do with Yellowikis. Of course, thanks to this news spreading, it's likely going to mean that Yellowikis will get a lot more attention, boosting the bottom-up threat to Yell's traditional business.



Are the document disclosed for this lawsuit fair game for others trying to build a case?

http://techdirt.com/articles/20060707/042223.shtml

Direct Revenue Spyware Infected Company's Own Investors

from the whoops dept

We've followed the saga of spyware maker Direct Revenue for years. Back in 2004, they claimed they were changing their ways and becoming more transparent. Since then, we've noted repeatedly how the company continued its sneaky ways, eventually leading to a lawsuit filed in NY earlier this year. That lawsuit meant that a lot of internal documents were made public, revealing a lot about what went on at the company, suggesting it wasn't at all interested in really cleaning up its act. Business Week has now put together a very thorough piece using those documents and additional reporting to look at what was really happening inside Direct Revenue the past few years.

The story isn't likely to surprise many people. As if to answer our own question of how the company could possibly make money if it wasn't sneaky, the internal documents show that as soon as the company tried to be more transparent and less evil, people didn't want their software. That resulted in an email from one of the company's founders (that was written after those promises to be a good actor in the space) stating: "We need to experiment with less user-friendly uninstall methodologies." However, one of the more interesting stories concerns some of the investors who threw millions at the company (allowing its founders to pocket millions on their own as well). According to the Business Week piece, a managing director at one of the company's investors got infected by Direct Revenue's software, and couldn't get rid of it (of course). Eventually the company had to send its customer support director over to their investors' offices to fix the machine. Makes you wonder just what sort of due diligence the investors actually did before investing in this company.



The fool, he should have blamed it on lawn mowing... Now Mom & Dad can refuse to buy a new iPod, but insist he keep mowing the lawn! (This happened in Castle Rock)

http://digg.com/apple/Dude_struck_by_lightning_blames_it_on_iPod.

Dude struck by lightning blames it on iPod.

jer2eydevil88 submitted by jer2eydevil88 8 hours 43 minutes ago (via http://arstechnica.com/journals/apple.ars/2006/7/6/4551 )

Next thing he knew, he was in his bed, bleeding from his ears and vomiting. He was barefoot and had taken off his burned T-shirt and gym shorts. He doesn't know how he got back in the house.



More amusing than useful...

http://digg.com/gadgets/The_Ten_Commandments_of_Cell_Phone_Etiquette

The Ten Commandments of Cell Phone Etiquette

bodiethelab submitted by bodiethelab 14 hours 44 minutes ago (via http://www.infoworld.com/articles/op/xml/00/05/26/000526opwireless.html )

Light reading, enjoy a good laugh about your friends, colleagues and even yourself!

No comments: