Sunday, February 18, 2007

There are millions of eyes on the Internet...

http://blog.auctionbytes.com/cgi-bin/blog/blog.pl?/pl/2007/2/1171726205.html

Vendor Security Lapse Has eBay Sellers Fuming

By: Ina Steiner Sat Feb 17 2007 10:30:05

A list of eBay sellers containing names, addresses, and user names and passwords was discovered online this week. On Tuesday, eBay users began buzzing about the list in a thread entitled, "Is eBay like the Titanic" on the eBay Trust & Safety board, with someone including a link to the list.

eBay removed the link, according to eBay spokesperson Hani Durzy. "The link was taken down for obvious reasons. The boards are not to be used to promote illegal activities," he said. But the remaining posts made it clear users remained concerned and angry.

Durzy told AuctionBytes on Friday afternoon that the data was several years old. eBay believed the data was the result of users giving out their passwords to scammers through phishing emails, and had no reason to believe the rumor that the information came from a third-party developer.

But several hours later, an eBay member sent AuctionBytes an active link to a list of customer names on Prosperpoint, a developer that provides eBay sellers with auction-management services.

When contacted by AuctionBytes, Prosperpoint founder and CEO Carson Kelly said the data came from a file that was erroneously put on the company's pages and dated back to 1999 or 2000. "We switched our technology backbone. It was a copy of a file used to move data from one to another." According to Kelly, the employee who put the data on a publicly accessible page is no longer working at Prosperpoint, but Kelly said he was sure it was a mistake and not intentional.

Kelly said the data included Prosperpoint user IDs and passwords, not eBay account information.

However, Kelly was unaware that a list - with thousands of Prosperpoint customer records - was still active on a page on his site, and removed it within moments of being told about it by AuctionBytes on Friday evening. That list contained more recent account data, Kelly said. "Our security is good. This fell through the cracks." [Should this read, “Our security is good but full of holes?” Bob]

Kelly said credit card information on all of the lists was encrypted - meaning it was not accessible. He said he was unaware of a California law requiring companies to notify users of security breaches, but said he was in the process of notifying customers.

When asked why some users - and eBay itself - believed the user IDs and passwords belonged to eBay accounts, Kelly said some users - particularly in 1999 and 2000 - may have used the same passwords for multiple services. Kelly said he had been aware of the problem for a few days, and had not been in touch with eBay.

In 2004, eBay implemented the Authentication and Authorization program, a security measure that eliminates the need for users to give their eBay passwords to third-party vendors.

Durzy had stated that any eBay accounts on the list that might have been active were already locked down. eBay took three steps, he said. First, they locked down the accounts, and will then try to restore the accounts to the rightful owners. eBay also contacted law enforcement.

However, it's not clear if eBay was aware of the second list of more recent customer data. It was too late to get further information from eBay by press time.



This is easy to understand. They had no clue what was going on and they panicked – not at all unusual for politicians or top level government bureaucrats.

http://www.fcw.com/article97701-02-16-07-Web

IG: Task orders awarded were improperly in VA data theft investigation

BY David Hubler Published on Feb. 16, 2007

Department of Veterans Affairs officials improperly awarded several task orders and a blanket purchase agreement after the theft of a laptop computer and hard drive from a VA employee’s home last May, the department’s Office of Inspector General said.

In a newly released report, the IG's office said the VA awarded a sole-source task order June 1, 2006, to Internet Security Systems (ISS) to analyze 17 portable media devices that the VA employee had used to transfer data from his office to his home computer.

Pedro Cadenas, then associate deputy assistant secretary at the VA’s Office of Cyber and Information Security, wrote the memorandum justifying the sole-source award, saying ISS “is a renowned contractor who has demonstrated global capacity of satisfying this critical demand.”

However, the IG found that ISS could not access the data and perform the forensic analysis because it was unfamiliar with the Statistical Analysis System format, despite its claim to the contrary. VA information technology officials converted the data into a format the contractor could read.

... The IG’s office said it was unable to interview Cadenas because he resigned three days before he was ordered to appear for an interview. The report adds, “We were unable to obtain records relating to Mr. Cadenas’ administration of the contract; there were no hard copy files and he had used professional software to erase the hard drive on his computer.”

... In an attachment to the report, VA officials agreed to take all recommended actions. [and you can be as confident of that as you were that no more personal data would be stolen.... Bob]



Two things: 1) Continuing evidence that not all levels of the organization “get” security or privacy issues, and 2) Increasing evidence that the “man in the street” does.

http://www.sptimes.com/2007/02/16/Northpinellas/Bank_records_turn_up_.shtml

Bank records turn up in trash

A bag of documents contains customer names, Social Security numbers and more.

NICOLE J. HUTCHESON Published February 16, 2007

... Charlie Burkart, a construction site foreman at the Avenue clothing store being built at the strip mall on the northeast corner of State Road 580 and Summerdale Drive, discovered a black garbage bag with bank documents that included customers' account numbers, Social Security numbers, addresses and names - including Stevens'.

Burkart found the documents after he noticed someone had dumped old lawn furniture into the site's receptacles. He went into a trash bin to try to find information that might identify the culprit, and he found the Fifth Third documents. [Note: This was not the bank's dumpster. Who was trying to hide what? Bob]

... "I've known several people who have been hurt by identity theft," [increasingly common... Bob] said Burkart, who works for construction company S.C. Nestel of Indiana.

... Fifth Third spokeswoman Bonnie Patchen would not comment on how the documents reached the trash unshredded, but she said the bank is investigating.

"Fifth Third has really strong security measures in place," Patchen said. "Situations like this are highly unusual."

... Sheriff's spokeswoman Marianne Pasha said law enforcement deals with such incidents occasionally.

"Nine times out of 10, it's because there's been an error involving the separation of documents for proper destruction and office trash," she said.



Do you suppose something like the TJX hack could be used to fund this project?

http://politics.slashdot.org/article.pl?sid=07/02/17/1936236&from=rss

Chinese Hack Attacks on DoD Networks Coordinated

Posted by Zonk on Saturday February 17, @03:39PM from the man-your-battlestations dept. Security Politics

An anonymous reader writes " The Naval Network Warfare Command says that Chinese hackers are relentlessly targeting Defense Department networks with cyber attacks. The 'volume, proficiency and sophistication' of the attacks supports the theory that the attacks are government supported. The motives of the attacks emanating from China include technology theft, intelligence gathering, exfiltration, research on DOD operations and the creation of dormant presences in DOD network for future action. Onlookers warn that current US defenses against these attacks are 'dysfunctional', and that more aggressive measures should be taken to ensure government network safety."



Wouldn't it be amusing if at some point a judge said, “From the evidence it is clear that you don't believe copyrights/patents/licenses should be respected, so I'll just apply what you do – not what you say.”

http://yro.slashdot.org/article.pl?sid=07/02/18/0458213&from=rss

MPAA Violates Another Software License

Journal written by Alien54 (180860) and posted by Zonk on Sunday February 18, @01:46AM

from the that's-a-little-cold dept.

Patrick Robib, a blogger who wrote his own blogging engine called Forest Blog recently noticed that none other than the MPAA was using his work, and had completely violated his linkware license by removing all links back to the Forest Blog site, not crediting him in any way. The MPAA blog was using the Forest Blog software, but had completely stripped off his name, and links back to his site. He only found about it accidentally when he happened to visit the MPAA site.



This is from the “e-Discovery Team” blog. (ESI is Electronically Stored Information.) Also, see the next article.

http://ralphlosey.wordpress.com/2007/02/17/employer-allowed-to-mirror-employees-home-computers-and-obtain-inaccessible-esi/

Employer Allowed To Mirror Employees Home Computers and Obtain Inaccessible ESI

26(b)(2)(B) Mirroring

A District Court in Missouri became one of the first in the country to employ the new inaccessibility analysis under Rule 26(b)(2)(B). Ameriwood v. Liberman, 2006 WL 3825291, 2006 U.S. Dist. LEXIS 93380 (E.D. Mo., Dec. 27, 2006). The plaintiff in another trade secret theft case moved to compel the defendants (former employees of plaintiff) to allow a complete mirror image inspection of the hard drives on all of their computers, including their home computers, and other portable storage devices (like thumb drives). The defendants objected on the basis that the mirror imaging sought constituted a request for inaccessible data, [Clearly not true. Bob] was unnecessary and intrusive.

A mirror image of a hard drive is an exact duplicate of the entire drive, including deleted files, slack and free space. Id. at fn. 3. A trained computer forensic expert can examine a mirror image of a drive and reconstuct files that have been deleted, thus transforming them from inaccessible to accessible. This process can, however, be quite expensive. As a general rule mirroring or inspection of an entire hard drive is not permitted without good cause. It is analogous to allowing a requesting party to inspect an entire paper filing cabinet, instead of just the particular files in the cabinet that are relevant, and search the garbage cans too.

Still, in this case the court granted the employer’s motion because: (1) of the close relationship between the plaintiff’s claims and the defendant’s computer equipment; (2) facts placing in doubt that all responsive documents have been produced; and, (3) Plaintiff’s willingness to pay for the expert forensic examination costs involved in the mirroring.

The court followed the new burden shifting analysis of new Rule 26(b)(2)(B) to reach this result. The Rule provides:

On motion to compel discovery . . . , the party from whom discovery is sought must show that the information is not reasonably accessible because of undue burden or cost. If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause, considering the limitations of Rule 26(b)(2)(C). The court may specify conditions for the discovery.

The defendants first argued that they had already searched their ESI and produced all discoverable ESI and thus there was no need for a complete mirror image production too. In essence, they argued that this was ”just a fishing expedition” not permitted under the rules. Plaintiff effectively countered by producing an email to defendants that they had obtained by subpoena of a third party. This email should have been in defendants’ custody and produced by them, but it was not. [The legal term for that is “Oops!” Bob] This cast doubt on the completeness of defendants’ production, and thus supported plaintiff’s argument that the mirroring was needed.

Defendants next argued that the mirror was a request for ESI not reasonably accessible to them because of undue burden and cost. Defendants supported this objection with affidavits of the significant costs involved in mirroring all of their computers and drives, recovering deleted information and then translating it into reviewable formats. The court agreed that defendants had established that the ESI requested was inaccessible to them under Rule 26 (b)(2)(B). But, that is not the end of the analysis. The rule goes on to still allow discovery of inaccessible data if the requesting party, here the plaintiff, shows good cause.

The plaintiff sustained this burden under the seven point good-cause inquiry suggested by the advisory committee notes to the rule. The third criteria was particulary persuasive in this case: “(3) the failure to produce relevant information that seems likely to have existed but is no longer available on more easily accessed sources.” This factor was met by the email produced by the third party, but not by defendants.

Good cause for the mirroring requested was also found in the allegations of the complaint itself, in that the trade secret theft here was allegedly accomplished by the computers in question. As the court explained:

Furthermore, in cases where a defendant allegedly used the computer itself to commit the wrong that is the subject of the lawsuit, certain items on the hard drive may be discoverable. Particularly, allegations that a defendant downloaded trade secrets onto a computer provide a sufficient nexus between plaintiff’s claims and the need to obtain a mirror image of the computer’s hard drive. . . . .In the instant action, defendants are alleged to have used the computers, which are the subject of the discovery request, to secrete and distribute plaintiff’s confidential information. How and whether defendants handled those documents and what defendants did with the documents is certainly at issue. The Court recognizes defendants’ privacy concerns over the information contained on their computers, but finds that the procedure below in addition to the Court’s protective order sufficiently addresses these interests.

In performing the good-cause inquiry, the Court is also permitted to set conditions for discovery, including but not limited to payment by the requesting party of part or all of the reasonable costs of obtaining information from the sources that are not reasonably accessible. See Fed. R. Civ. P. 26(b)(2) advisory committee’s note. As plaintiff does not object to incurring the costs for the requested procedures and defendants do not perform these procedures in the regular course of their business, plaintiff will incur the costs involved in creating the mirror images, recovering the information, and translating the information into searchable formats, as described below. For the above reasons, this Court finds that plaintiff has shown good cause to allow it to obtain mirror images of defendants’ hard drives under the following conditions.

The court then set forth conditions designed to protect the privacy rights of defendants to the ESI on their computers, including their home computers. The court followed the procedures set forth by the seminal case in this area, Playboy Enterprises v. Welles, 60 F. Supp. 2d 1050, 1054 (S.D. Cal. 1999). Essentially a third party expert does the exam and restoration, and then turns over a copy to defendants’ counsel of all ESI found and recovered, including deleted files. Defendants then review the restored ESI and produce all data responsive to discovery requests, and log any responsive but privileged ESI. Thereafter plaintiff may file motions to compel if warranted.



Were you serious about that?”

http://www.milforddailynews.com/homepage/8998925707706892287

Federal ruling forces schools to archive all electronic data

By Amber Herring/Daily News staff Saturday, February 17, 2007 - Updated: 10:57 PM EST

A U.S. Supreme Court ruling requiring school districts to keep track of electronic messages has the technology director at Bellingham High School facing a daunting task.

"We're looking at a very broad definition of electronic communication, but basically we're being required to elevate instant messaging and e-mail to the same legal degree as paper," said Kelly Ahrens, the district's director of technology.

The school district, like all public schools nationwide, is required by an April U.S. Supreme Court ruling to track all electronic information produced by students and employees, including e-mails and AOL instant messages, that occur on school computers, said Ahrens.

The district, according to the ruling, would need to set up a system that would save and sort all data, a system they currently do not have. The archiving system would have to track e-mails, instant messages, documents, spreadsheets and all other electronic information, said Ahrens.

"For example, if you sent me an e-mail through the school system it would have to be archived," said Ahrens. "And I would have to be able to retrieve it later."

... "If you're in a federal case and are called upon to produce electronic data, like an e-mail or instant message, and don't have it, you could immediately lose the case or be forced to settle out of court," said Catallozzi.

... "Schools have to track student information for five years and business transactions for seven years, but that's never really been enforced until now," said Catallozzi.

... The school district should have had this archiving system in place on Dec. 1, 2006, but as long as it is working toward compliance there should be no penalties if something comes up, said Catallozzi.



This is an idea we should think about. It has the potential to make neighborhoods like the small town I grew up in (where everyone knew everything about everyone else) or it could devolve into a tool for ratting on your neighbors. (He's different, therefore he is a terrorist!)

http://news.bbc.co.uk/2/hi/technology/6364301.stm

Digital neighbourhood watch plan

A neighbourhood watch for the digital age, utilising the power of social networking, has been proposed.

Two lecturers in the US have suggested creating a network of Community Response Grids (CRG) in conjunction with the emergency services.

Citizens could leave text, video and photos on the site of emergencies, natural disasters and terror attacks.

A pilot could start later this year based at the University of Maryland, driven by 40,000 students and staff.

The idea of a nationwide network of 911.gov websites has been proposed by Maryland university lecturers Ben Shneiderman and Jennifer Preece in this month's edition of Science magazine.

"The 911 telephone system functions effectively when there are traffic accidents, health emergencies or small fires, but when large numbers of people are involved it does not handle the capacity," said Professor Shneiderman.

.. "Peak service problems are substantial issues," said Prof Shneiderman.

"News sites have the same problem - when a big story breaks demand is 40 to 100 times greater than the normal load.

... "You would have to pre-register, the system would not allow anonymous entries.

... "We are expecting to have cell phone access. Many people's lives are directed by their cell phones - their communications, their social lives, contact with families."



How to justify anything...

http://scotlandonsunday.scotsman.com/international.cfm?id=264092007

Sun 18 Feb 2007

Sacked 'internet addict' sues IBM for £2.5m

NICHOLAS CHRISTIAN

A VIETNAM veteran who was fired by IBM for visiting an adult chat room at work is suing the company for £2.5m, claiming he is an internet addict who deserves treatment and sympathy.

New Yorker James Pacenza, 58, says he visits chat rooms as treatment for traumatic stress incurred in 1969 when he saw his best friend killed during an army patrol in Vietnam.



Dilbert's Health Plan will save companies millions!

http://www.unitedmedia.com/comics/dilbert/archive/images/dilbert2007021523638.jpg

No comments: