Wednesday, February 28, 2007

This seems like a violation of procedure, but it points out that regular checks are required to ensure things are working as management intended. Or, change your procedure so everything is secure by default.

http://www.thedenverchannel.com/news/11129525/detail.html

Denver Court Dumps Private Records In Public Area

Private Information Found In Recycle Bins In City And County Building

POSTED: 6:28 pm MST February 27, 2007 UPDATED: 8:14 pm MST February 27, 2007

Video: Private Info Found In Public View At Denver's Courthouse

... 7NEWS Investigator John Ferrugia found confidential records on hundreds of Coloradans in recycling bins that are in plain view inside Denver's City and County Building.

... 7NEWS Investigators found driver histories -- complete with Social Security numbers, driver's license numbers and physical descriptions -- traffic tickets with dates of birth and phone numbers, and insurance cards complete with policy numbers.

"Would you want your Social Security number accessible like this?" Ferrugia asked building manager Steven Sholler.

Sholler said no, and he believes the court administrators are responsible for recyclables from individual courts.

... McConville showed 7NEWS the locked room and locked bins where such confidential records are supposed to be kept, explaining that the courts have procedures to shred such material.

... As a result of 7NEWS' investigation, the county court administrator has found out that the janitorial staff in the City and County Building has been discarding confidential recycling from court offices in the same bins as the regular recycling.

Court officials tell 7NEWS they have no idea how long this has been going on, but now say only court staff will handle discarded confidential records.



Probable scenario: Marketing plans the contests, tells IT what they want, IT assigns a junior programmer. Managers never consider privacy risks, but will quickly blame the junior programmer. (I wonder who tipped them off?)

http://www.securitypronews.com/insiderreports/insider/spn-49-20070227HoustonChronicleCluelessOnUserPrivacy.html

Houston Chronicle Clueless On User Privacy

David Utter Staff Writer 2007-02-27

A publicly available area on the Houston Chronicle's website allowed visitors to easily view text and spreadsheet files containing names, addresses, phone numbers, and emails of contest entrants.

What appears to be an improperly configured Apache web server allowed us to pull up a page on the Houston Chronicle site that the public should not be able to access.

The page contains dozens of spreadsheets and text files containing details on people who enter the newspaper's movie-related contests. Those documents are dated as far back as April 2006.

A selection of files we viewed contains the information listed above. One file, related to a Justin Timberlake contest for tickets to his March 4th show, has over 3,800 entries updated as recently as February 26th.

... UPDATE: 24 hours later, the page has finally been removed from the Chronicle's website. We had forwarded the URL in question to their webmaster and ombudsman addresses, but did not receive a response about the issue.



The advantage of hacking into computers over the Internet should be obvious – you're not there for the cops to tackle!

http://www.telegram.com/apps/pbcs.dll/article?AID=/20070228/NEWS/702280363/1002/BUSINESS

Suspects held in data thefts on Stop & Shop customers

By Ray Henry THE ASSOCIATED PRESS Feb 28, 2007

COVENTRY, R.I.— Four California men were arrested in what police said was a scheme to switch checkout-lane credit card readers at Stop & Shop supermarkets to steal customers’ numbers and passwords.

The men allegedly removed or tried to remove PIN pads from at least six stores in Rhode Island and Massachusetts and replaced them with alternate machines that would be used for several days to record shoppers’ credit card information, authorities said Tuesday. Later, the men would come back and replace the original keypads.

The men were arrested Monday night while allegedly attempting to switch keypads at a store in Coventry, police said. A store security officer called police after employees noticed one suspect trying to remove a keypad while two others were trying to distract store workers. [It worked several times before... Bob]

... Prosecutor Gina Lopes said her office was told by the U.S. Secret Service that the men may be part of a group suspected of similar activities in other cities, including Philadelphia, Las Vegas and Miami. [Again, HOW CAN PEOPLE NOT NOTICE THIS? Bob]

... Citizens Bank reported it lost $100,000 from the scheme and two other banks reported thefts of $10,000 and $5,000, Lopes said. She said the investigation continues. [From Identity Theft? Bob]

... The thefts were first discovered after a bank notified Stop & Shop that two store locations were the common links to illegal purchases made elsewhere. Stop & Shop investigated, and found evidence of keypad tampering.



More dirt!

http://news.com.com/2100-1014_3-6162720.html?part=rss&tag=2547-1_3-0-5&subj=news

Control freaks won at HP, ex-board member says

Former director Tom Perkins airs his side of the story in spying scandal that led to board members' resignations.

By Michael Kanellos Staff Writer, CNET News.com Published: February 27, 2007, 4:41 PM PST

SAN FRANCISCO--Former Hewlett-Packard Chairman Patricia Dunn won the battle over control of Hewlett-Packard's board, said former director Tom Perkins, and so did mediocrity.


...and the Video

http://news.com.com/1606-2_3-6162744.html?part=rss&tag=2547-1_3-0-5&subj=news

Video: Tom Perkins: HP did not want independent directors

Former HP director warns of governance without expertise

Thomas Perkins, co-founder and director emeritus of Kleiner Perkins Caufield & Byers, speaks at the Venture One Outlook conference in San Francisco about why current corporate boards can easily fail. He discusses the meltdown at Enron and the fallacy of building what he calls compliance boards that don’t know the specific industry of the corporation.

4 minutes 25 seconds Feb 27, 2007 5:16:00 PM



So if I want to show how bad the security was at some Canadian equivalent of TJX, I could publish all 40 million credit cards info as “proof?” (The law doesn't even suggest limits...)

http://www.gov.ab.ca/acn/200702/2108604628DEE-0326-25F4-91730B8736C0F219.html

February 27, 2007

Information and Privacy Commissioner determines disclosure of personal information was for journalistic purposes only

Alberta's Information and Privacy Commissioner, Frank Work, has determined he does not have jurisdiction over disclosure of personal information contained in a newspaper article.

The Complainant alleged that the Organization had disclosed personal information when it published a newspaper article. The Organization argued that disclosure of the personal information was for journalistic purposes only as provided by section 4(3)(c) of the Personal Information Protection Act. As such the Act did not apply to the personal information in question.

The Commissioner agreed with the Organization that the disclosure was for journalistic purposes only and that he did not have jurisdiction over the personal information disclosed.

To obtain a copy of P2005-004 [So I did...Bob]

4(3) This Act does not apply to the following:

(c)the collection, use or disclosure of personal information, other than personal employee information that is collected, used or disclosed pursuant to section 15, 18 or 21, if the collection, use or disclosure, as the case may be, is for journalistic purposes and for no other purpose;



We often lose sight of the goal – traffic safety, wasn't it? Here's a disturbing trend. Is this “entrapment?” Next they will set the yellows to random times to increase the probability of 'violation'

http://techdirt.com/articles/20070227/074231.shtml

Cities Put Revenue Over Driver Safety

from the looking-out-for-us dept

Several studies have shown that red light cameras, designed to catch people who run red lights, are in fact dangerous themselves. Drivers approaching yellow lights instinctively slam on their brakes when they see a camera (just to be on the safe side), which then leads to more accidents. Of course, this hasn't stopped cities from installing them, particularly since they represent a lucrative source of revenue. In fact, the pursuit of more revenue has led some places to shorten the length of yellow lights to increase the chances of someone getting caught running a red. Disturbingly, this practice looks like it might be somewhat common. In Lubbock, Texas, it was found that most of the intersections where the city was planning on installing cameras had shorter yellow lights than safety guidelines suggested. And this doesn't appear to be a coincidence. The city engineer actually told the city council that he would not increase the length of yellow lights, so as not to eat into the city's ticket revenue. There's really no other way to view this than to say that the city doesn't mind if more people die in accidents, as long as its ticket revenue stays high.



Perspective

http://www.bespacific.com/mt/archives/014082.html

February 27, 2007

Commentary on Our Increasingly Digitized Lives

Envisioning the Whole Digital Person, by Jonathan Follett, Published February 20, 2007: "Our lives are becoming increasingly digitized—from the ways we communicate, to our entertainment media, to our e-commerce transactions, to our online research. As storage becomes cheaper and data pipes become faster, we are doing more and more online—and in the process, saving a record of our digital lives, whether we like it or not." [via Darlene Fichter]

[From the article: The components that make up our digital lives largely fall into five categories—each presenting its own set of information management challenges:

* identification * possessions * content * preferences * records



Is this possible only in the electronic world?

http://yro.slashdot.org/article.pl?sid=07/02/27/1917218&from=rss

Is "Making Available" Copyright Infringement?

Posted by kdawson on Tuesday February 27, @03:30PM from the RIAA-theory dept.

NewYorkCountryLawyer updates us now that the legal issue — is it copyright infringement merely to "make available" a copyrighted work? — has been argued by the attorneys in Elektra v. Barker (on January 26). Whichever way the ruling goes it will have a large impact across the Internet. Appeal seems likely either way. No ruling has issued yet but "a friend" has made the 58-page transcript "available" (PDF here).

[From the article: The argument is that even if a defendant has never copied or distributed a file illegally, the fact that he or she possesses a computer with a shared-files folder on it that contains copyrighted files "made available" over an Internet connection, this in and of itself constitutes infringement of the "distribution" rights of the sound recording copyright holder under Section 106(3) of the Copyright Act.



Is this the modern version of a “Wanted Poster?” (Sort of a reverse “Rodney King?”)

http://www.rinf.com/columnists/news/police-use-youtube-to-catch-suspects

Police use YouTube to catch suspects

Eric Tucker Tuesday, February 27th, 2007

Patrolman Brian Johnson of the Franklin (Mass.) Police Department studied a surveillance video showing two men using allegedly stolen credit cards at a Home Depot.

But when Johnson didn’t recognize either man, he decided to involve people — lots of people — in the crime-solving process. He posted a clip from a security camera on YouTube.com, the video-sharing Web site, then sent e-mails to about 300 people and organizations to say the department was looking for the suspects.

You don’t have to be a technology wizard to figure out how to watch a video on YouTube,” Johnson said. [Or to post a video... Bob]

... Robert Ellis Smith, a Providence-based privacy expert and publisher of the “Privacy Journal” newsletter, said video posted online should have the consent of bystanders or victims in order to protect their privacy. He also suggested the videos be dated and removed once any court proceedings are concluded.

Victims of crimes are certainly entitled to be heard before that stuff is put on the Internet,” Smith said.



It's nice that Prof. Felton (anyone actually) agrees with me.

http://www.freedom-to-tinker.com/?p=1126

Sarasota: Could a Bug Have Lost Votes?

Tuesday February 27, 2007 by Ed Felten

At this point, we still don’t know what caused the high undervote rate in Sarasota’s Congressional election. [Background: 1, 2.] There are two theories. The State-commissioned study released last week argues that for the theory that a badly designed ballot caused many voters to not see that race and therefore not cast a vote.


Related (NOTE that this is another video that raises questions officials aren't prepared to answer...)

http://techdirt.com/articles/20070227/104715.shtml

Questionable Voting Practices Caught On Tape; Voting Officials Seem More Concerned With Tape Origin

from the as-you-would-expect dept

A reader writes in to point out some questionable voting practices caught on videotape in Jacksonville, Florida. In the tape, a woman appears to vote twice, while an elections official is seen opening up a voting machine. It's not at all clear from the report what happened -- though, having the same woman deliver her optical scan ballot twice certainly raises some questions. Even though this was a paper ballot and an optical scan technique rather than a full e-voting system, the fact that the elections officer is able to open up a voting machine and do something to it without anyone saying anything disproves all the claims from people that "tampering" with an e-voting machine would be immediately obvious. All you need is an elections official saying that they need to "fix" something on the machine and no one's going to question what's going on. What's most interesting about this story, however, is that the elections officials seem a lot more concerned with how the security videotape got out, rather than what happened in the room. I'd like to give everyone the benefit of the doubt, and assume that whatever happened (even the same woman apparently voting twice) was legitimate -- but, even so, you would expect the voting officials to then come out and explain what happened, rather than get angry about the tape being leaked. [Why would anyone expect them to know what happened? Bob]



Useful? A better way to copy & paste? (Works with emails, too.)

http://www.podtech.net/home/technology/2237/demo-of-a-better-bookmark-clipmarks

Demo of a better bookmark: ClipMarks

MP4 Video Video | Posted by Robert Scoble | February 27th, 2007 5:00 am

ClipMarks is shipping a new version today and it's an innovative service that lets you bookmark and link to information deep inside a page. You can choose a paragraph, a sentence or a picture — or other items — and save those for later, or send them to your friends, or link to them. Here, co-founder of ClipMarks Eric Goldstein, gives us a demo and shows us why this should be useful for you.

Download This: Video iPod



Education tool Think of this as a way to illustrate what personal information can be obtained (legally) and the source(s).

http://turbulence.org/Works/swipe/calculator.html

THE SWIPE TOOLKIT: DATA CALCULATOR

This calculator allows you to determine what your data bits are worth on the open market so you can request proper compensation when it is asked from you. For instance, a typical cellular phone company will ask for your address, date of birth, phone number, Social Security number and driver's license to open a new account. Consult our data calculator and that will be $13.75 please!

Refer to this calculator when you interact with all businesses and goverment agencies. Make sure you get a cut of the profits from the reselling of your information. (A downloadable data calculator for Pocket PCs is on the way.) [Then we can wave it in the face of those ignorant teenagers and demand immediate payment! Bob]

We used the following sources to determine the worth of your individual data bits: Accurint, Aristotle, ChoicePoint, ChoiceTrust, DocuSearch, Experian, KnowX, Merlin Data, and Pallorium. There are many other commercial data warehouses in the U.S., but these are some of the most popular and represent the general types of information that are for sale.

No comments: