Friday, February 02, 2007

Typical Friday story.

http://www.boston.com/business/ticker/2007/02/workers_comp_da.html

Thursday, February 1, 2007

Workers comp data stolen

A former state contractor allegedly accessed a workers' compensation database to steal personal information and fraudulently obtain credit, the Department of Industrial Accidents announced today.

The agency said up to 1,200 people who had submitted workers' compensation claims to the state -- and their Social Security numbers -- may have been compromised, although officials have evidence that only three people had their personal information used improperly.

The worker, who was not immediately identified, was fired, arrested and charged with identity fraud. Law enforcement officials notified the agency of the alleged breach. [Insider actions are more difficult to detect, but not impossible. Bob]

"The DIA has taken swift action to inform the public and the 1,200 individuals potentially affected by this situation," the agency said in a statement. "DIA has sent written notifications directly to the potentially impacted claimants. In addition, DIA has posted information on its web site [ http://www.mass.gov/dia/ ] and established a telephone hotline to address claimant concerns."

The statement added: "All of us at the Department of Industrial Accidents deeply regret what happened. We take our public trust very seriously and we are taking immediate steps to ensure that this situation does not happen again."



Even evil intent winds up exposed on the Internet..

http://www.pogowasright.org/article.php?story=20070201151800621

Ripon firm tried to keep tax error mum, records show

Thursday, February 01 2007 @ 03:18 PM CST - Contributed by: PrivacyNews - Breaches

A printing company responsible for an error that led to the disclosure of thousands of Wisconsin taxpayers’ Social Security numbers tried to convince the state Department of Revenue to keep the mistake quiet, e-mail records show. Revenue officials initially agreed taxpayers should not be notified and asked media outlets not to report the story, concerned disclosure would increase the risk of identity theft, e-mails obtained by The Associated Press show.

Source - http://www.thenorthwestern.com/apps/pbcs.dll/article?AID=/20070202/OSH0101/70201103/1128/OSHnews



Not the most brilliant logon process.

http://news.com.com/2100-1030_3-6155425.html?part=rss&tag=2547-1_3-0-5&subj=news

Police blotter: Texas student guilty in SSN hack

By Declan McCullagh Story last modified Fri Feb 02 04:00:03 PST 2007

"Police blotter" is a weekly News.com report on the intersection of technology and the law.

What: Former University of Texas student appeals conviction of computer fraud.

When: The 5th Circuit Court of Appeals rules on January 24.

Outcome: Conviction, restitution and sentence of five years of probation is upheld.

What happened, according to court documents:
Around 1990 at Carnegie Mellon University, an undergraduate student wrote a program designed to steal his classmates' accounts.

It mimicked the text-based login prompt used on the school's Sparcstations and DECstations, and surreptitiously recorded hapless students' usernames and passwords when they tried to log in. Once those were saved, it printed the equivalent of "try again," exited and brought up a real login prompt.

The faux username prompt was discovered when a system administrator tried to log in--and noticed the system rejected his password far more quickly than it should have, if it actually took the time to authenticate through the Kerberos protocol. After being nabbed and disciplined internally, the student graduated and went on to work as a staff member at the university. Today he's a well-respected programmer.

That was a more innocent era, before the rise of the Web and widespread criminal activity online. Just ask Christopher Phillips, a former University of Texas computer science student who was convicted in federal court of hacking and is appealing his sentence.

Phillips wrote a Java program that was less clever and more aggressive than the one at Carnegie Mellon more than a decade earlier. It used the brute-force method of trying to connect to a UT computer called "TXClass Learning Central," which required only a Social Security number to log in. (A more secure system would have required a password and other hard-to-guess information as well.)

The Java program was eventually refined so that instead of trying random SSNs, it generated ones that came from only the 10 most populous Texas counties. (The formula is publicly available.) When Phillips' program found a valid SSN, it entered that person's account and automatically extracted personal information about that individual from the TXClass database. The Java program then changed the SSN by an increment of one and tried again.

What's a little odd is that this apparently continued for some 14 months without UT realizing what was going on. [Not odd at all, unfortunately. Bob] Normally, TXClass received 20,000 log-in attempts per month, but Phillips' program increased it to as many as 1.2 million. [You won't notice this if you don't monitor activity. Bob] The overload allegedly caused TXClass to crash several times in early 2003, making hundreds of Web applications inaccessible--including online library, payroll, accounting, admissions and medical databases.

Eventually, UT discovered the intrusion attempts and contacted the Secret Service. Phillips admitted that he was behind the brute-force attack on TXClass, but claimed that he was not going to use or sell the information.

He was indicted and convicted by a jury of one count of computer fraud. An article from June 2005 in the Austin American-Statesman said Phillips was 22 years old and that he was acquitted of more serious charges.

"I'm sorry to my parents, the University of Texas and all these people," he said at the time. "It just wasn't in my mind-set that this kind of thing was going to have this sweeping effect."

A federal judge sentenced Phillips to five years of probation, 500 hours of community service and restitution of $170,056, the amount the university said it cost to investigate and fix the problem. He appealed, claiming that the restitution figure was too high and that the jury instructions were in error.

The 5th Circuit Court of Appeals upheld Phillips' conviction and sentence on January 24.

Excerpts from the 5th Circuit's opinion:

Phillips asserts that the Government failed to produce sufficient evidence that he "intentionally access(ed) a protected computer without authorization."

Courts have therefore typically analyzed the scope of a user's authorization to access a protected computer on the basis of the expected norms of intended use or the nature of the relationship established between the computer owner and the user.

Applying such an intended-use analysis, in United States v. Morris (PDF), a case involving an invasive procedure that prefigured modern port scanning, the Second Circuit held that transmission of an Internet worm designed "to demonstrate the inadequacies of current security measures on computer networks by exploiting...security defects" was sufficient to permit a jury to find unauthorized access."

Phillips' brute-force attack program was not an intended use of the UT network within the understanding of any reasonable computer user and constitutes a method of obtaining unauthorized access to computerized data that he was not permitted to view or use.

During cross-examination, Phillips admitted that TXClass' normal hourly hit volume did not exceed a few hundred requests but that his brute-force attack created as many as 40,000. He also monitored the UT system during the multiple crashes his program caused and backed up the numerical ranges of the Social Security numbers after the crashes so as not to omit any potential matches.

Phillips intentionally and meticulously executed both his intrusion into TXClass and the extraction of a sizable quantity of confidential personal data. There was no lack of evidence to find him guilty of intentional unauthorized access.

Phillips makes a subsidiary argument that because the TXClass Web site was a public application, he, like any Internet user, was a de facto authorized user. In essence, Phillips contends that his theft of other people's data from TXClass merely exceeded the pre-existing generic authorization that he maintained as a user of the World Wide Web, and he cannot be considered an unauthorized user.

This argument misconstrues the nature of obtaining "access" to an Internet application and the CFAA's use of the term "authorization." While it is true that any Internet user can insert the appropriate URL into a Web browser and thereby view the "TXClass Administrative Training System" login Web page, a user cannot gain access to the TXClass application itself without a valid Social Security number password to which UT has affirmatively granted authorization.

Neither Phillips nor members of the public obtain such authorization from UT merely by viewing a login page or clicking a hypertext link. Instead, courts have recognized that authorized access typically arises only out of a contractual or agency relationship.

Finally, Phillips contends that the district court erred in its award of restitution for costs incurred by UT in conducting a computer damage and systems evaluation, and contacting individuals whose biographical information and Social Security numbers were stolen.

Since Phillips raises this issue for the first time on appeal, we review the award for plain error. There is no error at all... UT was a victim, and it collaborated with the investigation and incurred costs to notify other victims of Phillips' data theft in order to determine whether they had suffered further damage.



This type of law to “prevent Identity Theft” will no doubt become very popular. It also reduces the potential for people to report finding personal data in the bank/hospital/government agency's trash.

http://www.eastvalleytribune.com/index.php?sty=83303

'Dumpster diving'? Get permission first

By Brian Powell Tribune February 1, 2007

Scottsdale has banned taking trash out of a container without permission, or "Dumpster diving," saying it will help protect against identity theft. The City Council voted 4-2 to make it illegal to collect, scavenge or disturb the garbage in a trash can or recycling container unless authorized to do so.

The council chose not to include a prohibition on taking items set out on the curb by a homeowner [who we know to be second class citizens... Bob] for bulk trash pickup, such as a couch or other household item that often disappear before the actual collection.

Police Chief Alan Rodbell said the ordinance will allow patrol officers to approach someone who they feel may be looking to steal identification from the garbage, which in older city neighborhoods are placed in alleys behind homes.

This also presents an opportunity for people to observe homes and yards. [Is this one of those “you have to be a lawyer to understand” things? Bob]

... A report presented to the council said that scavenging through garbage is one of the main ways criminals gather information for identity theft. That information also could be traded for drugs, the report states.

In addition, the report said this will prevent the unsanitary and unhealthy activity.



Another step to reduce litigation: make it impossible to gather evidence?

http://www.nytimes.com/2007/02/01/nyregion/01tape.htm?_r=3&oref=slogin&oref=slogin&oref=slogin

Student’s Recording of Teacher’s Views Leads to a Ban on Taping

By TINA KELLEY February 1, 2007

After a public school teacher was recorded telling students they belonged in hell if they did not accept Jesus as their savior, the school board has banned taping in class without an instructor’s permission, [Teachers gots rights, chillins doesn't!” Bob] and has added training for teachers on the legal requirements for separating church and state.

A junior at Kearny High School in New Jersey, Matthew LaClair, 16, complained to his principal after the teacher in his American history class, David Paszkiewicz, told students that evolution and the Big Bang were not scientific, that dinosaurs were aboard Noah’s ark and that only Christians had a place in heaven. He started recording the comments in September because, he said, he was afraid school officials would not otherwise believe that the teacher had made them. Matthew said he was ridiculed and threatened after his criticism became public.

After several students complained to the school board that their voices had been broadcast on the Internet and on television news programs without their consent, the board adopted a policy in mid-January that requires students to request permission from an instructor to record or videotape a class.

... Meanwhile, Matthew said that Mr. Paszkiewicz recently told the class that scientists who spoke about the danger of global warming were using tactics like those Hitler used, by repeating a lie often enough that people come to believe it.

Mr. Lindenfelser said that the district did not investigate the report of that comment, which he said was not religious or a violation of “any kind of law.”


It could be worse... We could be living in a very liberal state.

http://news.bostonherald.com/localRegional/view.bg?articleid=180436

SJC: private schools have more leeway than public in searches

By Associated Press Thursday, February 1, 2007 - Updated: 07:25 AM EST

BOSTON - Students who attend private schools do not have the same protections against unreasonable searches as students who attend public schools, [Not doubt this will make it easier to serch students in religious (read: Muslim) schools. Bob] the state’s highest court said Wednesday in a ruling some legal analysts said could lead to arbitrary searches of backpacks or lockers.

The Supreme Judicial Court drew a distinction between public school officials and private school officials in the case of three Catholic school students who were arrested after drugs and alcohol were found in their hotel room during a school ski trip.

The court said that public school officials are agents of the state and therefore subject to the rule against unreasonable searches contained in the Fourth Amendment. But the court said the same protections don’t apply in private schools.

”Fourth Amendment protection does not apply to searches conducted by persons who are not state agents,” the court ruled in a unanimous, 7-0, decision.

Justice Roderick Ireland, in a concurring opinion, urged private schools to develop search policies to guard against abuses.

... ”Parents don’t need any justification to search their child’s room at home, and many parents chose private schools specifically for the reason they want them to do the same thing they would do,” said Capeless. ”This is private action by private individuals.”



Does this suggest that Sarbanes doesn't already cover computer security? Surely that is part of a “system of control” over financial data.

http://techdirt.com/articles/20070201/100011.shtml

What A Sarbanes-Oxley For Computer Security Might Look Like

from the bad-ideas dept

One problem with all of the constant talk about data breaches, phishing and identity theft is that it definitely has the potential to induce some shortsighted legislation in hopes that it will make the problem go away. Some have even said that nothing will happen on the legislative front until we see some sort of "digital Enron" that forces politicians into action. Of course, the actual Enron resulted in the much-lamented Sarbanes-Oxley, which stands as evidence that sweeping laws shouldn't be made in haste, during times of crisis. It's not clear whether or not we've had our "digital Enron" yet , but already some pundits are putting forth their ideas for a digital Sarbanes-Oxley. Ira Winkler at Computerworld argues that Congress should mandate ISP liability for malicious traffic on their networks, something which we've argued many times is a bad idea, since it's an approach that goes after the wrong party. But this is just the beginning. In addition to placing liability on ISPs, he says that individual computer users should be held liable if they fail to keep their computer secure, and it becomes part of a botnet. It's really hard to know where to start with that idea, other than to say that it again goes after the wrong party, and it could really discourage the average person from ever wanting to go online. His final suggestion is that Congress pass a law that makes security software better. He doesn't really offer anything concrete on this point, which is not surprising, because it's really out of the realm of what Congress can do. Simply legislating that something be made better will only increase the costs of making it, and reduce its availability. Seeing as the government can't even pass effective laws against spam, anything that it does in the area of identity theft or computer security should be viewed suspiciously. Fortunately, this particular proposal seems so extreme, it's hard to imagine it going anywhere. It's also interesting to note that this is the second thing we've seen today from Computerworld that calls for more government involvement in tech issues. Sounds like they could use some more skepticism about the government's ability to solve these problems.



Another contradiction. “Good law is complex law.”

http://techdirt.com/articles/20070130/225828.shtml

Without Copyright Owner's Permission

from the good-decisions dept

The right of first sale is an important feature of copyright law that doesn't get that much attention. Since copyright has fundamentally different characteristics than traditional property, questions have arisen concerning whether things that you can do with tangible property also apply to copyrighted creative works. So, for example, if I buy a chair from the guy who built a chair, I can legally resell that chair without getting permission from the guy who made it. However, if I buy copyrighted content from someone, can I then resell that content the same way I could resell that chair? The right of first sale says that, in most cases, I can -- assuming, of course, that I haven't just sold the content, but also gotten rid of any copies I own as well. Of course, in most cases, content owners have now gotten around this by not selling you content, but merely licensing you the use of their content under very limited terms. Either that, or they've put in place technical measures, such as DRM, that make it effectively impossible to exercise your right of first sale. There are some areas where the right of first sale still matters. In fact, it's an issue that's been fought about in some areas, such as when the UK discussed banning the right of first sale on artwork -- meaning that any sale of a particular piece of artwork (even after it was sold initially) needed to have the approval of the artist.

Back in the US, there was recently a case that looked at first sale doctrine as it relates to audio books. William Patry explains the decision found that there's no copyright violation in renting out audio books without first getting the copyright holder's permission. The law has banned that right for music and computer software -- but since the law doesn't clearly describe audio books as well, the court found that it was not exempt from right of first sale coverage. This is definitely a good decision -- though, it wouldn't be surprising to see publishers now freak out about this and push for more explicit language to be added to the law at some point.



If the previous article wasn't enough to make you think copyright law was strange...

http://techdirt.com/articles/20070201/140812.shtml

NFL Wants To Remind You That Having People Over To Watch The Super Bowl On A Big Screen Is Copyright Infringement

from the laws-written-by-lobbyists dept

What is it with sports leagues and their desire to limit how their fans can enjoy the game? There's Major League Baseball, who keeps trying to insist that they own the facts related to a game, and no one can use them without paying MLB first. Then, there's the NFL, who freaked out about TiVo and also tried to ban any broadcasters from using "unauthorized" video feeds to show what happens in the stadium (i.e., no sideline cameras any more). They've been particularly fussy about the Super Bowl, however, forcing advertisers to call it "the Big Game" or whatever, claiming excessive control over the trademark (remember, trademarks are really designed to prevent consumer confusion, not to give holders full control over the mark).

The latest situation is perhaps even more bizarre -- but tragically, seems to fall closer to a correct legal reading of a really poorly written law. The NFL apparently nastygrammed a church for planning to host a Super Bowl party. The original complaint was first that the church was charging people, but also that they used the term "Super Bowl" (as if people would somehow believe that the church was associated with the NFL?). After the church agreed to let people in for free and not use the term, the NFL continued to complain, saying that showing the Super Bowl on a screen larger than 55 inches represents copyright infringement. While we, at first, doubted the reality of this, Ben Austro sent in the fact that it is, indeed, spelled out in copyright law that once you get above 55", you may be talking about a "public performance," though, as Ben notes, the wording sounds like it was clearly written by a lobbyist. No matter what the law states, this seems ridiculously short-sighted by the NFL. It's hard to see how they lose out in any meaningful way by not allowing groups to watch the Super Bowl together. Of course, now that this particular quirk of copyright law is getting some attention, how long will it be until the MPAA starts cracking down on those of you with really big screen TVs from showing movies in your home theaters. What was a joke just a few months ago, may become real.



Would this hold even where the company monitored e-mail and took action for some “violations of policy” but ignored others?

http://techdirt.com/articles/20070201/151427.shtml

California Court Exempts Employers From Email Liability

from the breathing-room dept

For reasons related to regulatory compliance and legal liability, many companies have rather strict policies on how employees can use their company email addresses. Often, the policies seem overly strict, but with the constant chatter over things like getting sued for sexual harassment for failing to block porn spam, we can understand their desire to err on the side of caution. Some California companies may see some relief as a judge has ruled that employers are not liable for the email activity of their employees. It cited the same law the exempts ISPs and sites like Craigslist from the activities of their users. Still, it seems the ruling is likely to open up a fresh can of worms. In this case, things were fairly cut and dry, as the court ruled that Agilent didn't bear any responsibility for harassing emails that its employees sent to an opposing party in a lawsuit. But there are other situations where things could get trickier, particularly if the email seems to have been sent in some official company capacity. So for now, even with the ruling, it's not too likely that companies will loosen the reigns much in terms of email policy.



Free is good!

http://education.zdnet.com/index.php?p=814

January 31, 2007

Legal download service Ruckus expands to all colleges

Ruckus Network, a free and legal online music resource, has expanded service to include all U.S. colleges, not just subscribers, reports eSchool News.

The service, currently used by over 100,000 students, used to be only available through universities that had an agreement with the company. Now, any student that has a valid .edu email account can download music for free. There is, however, a charge for transferring music to a portable music player such as an iPod or MP3 Player.



http://www.bespacific.com/mt/archives/013820.html

February 01, 2007

Special Master Reports Now Available on U.S. Supreme Court Site

Special Master Reports are now posted on the Supreme Court's website, under the link for Dockets, which in turn has a link to Special Master Reports on the bottom portion of the page.

  • Via Wex: "A "special master" is appointed by a court to carry out some sort of action on its behalf. Theoretically, a "special master" is distinguished from a "master". A master's function is essentially investigative, compiling evidence or documents to inform some future action by the court, whereas a special master carries out some direct action on the part of the court. It appears, however, that the "special master" designation is often used for people doing purely investigative work, and that the simple "master" designation is falling out of use."



Something for my “Business Continuity” class

http://www.pandemicflu.gov/plan/community/community_mitigation.pdf

Interim Pre-pandemic Planning Guidance:

Community Strategy for Pandemic Influenza Mitigation in the United States—



Potential for a collaborative blog?

http://www.podtech.net/home/technology/2022/demo-of-trailfire-shows-new-way-to-share-find-whats-important-on-the-web

Demo of Trailfire shows new way to share find what's important on the Web

MP4 Video Video | Posted by Robert Scoble | February 1st, 2007 2:35 pm

Trailfire is a new way to both mark what you find is important on the Web as well as find other "trails" that people have left for you. I'm not explaining it very well, it's a cool way to group together interesting sites. Here is a good demo of Trailfire and why it might be useful.

No comments: