Wednesday, March 28, 2007

Not clear if this was all on paper (might be a really big briefcase) or why anyone would be carrying all that information off-site.

http://www.pcw.co.uk/computing/news/2186498/halifax-admits-customer-stolen

Halifax admits customer data has been stolen

13,000 mortgage customers' information could be at risk

Tom Young, Computing 27 Mar 2007

UK Bank Halifax has started writing to 13,000 mortgage customers to inform them that some of their details were contained in documents stolen from a member of staff late last week.

The bank says a briefcase including customer account details was stolen from a Halifax employee's car late on Wednesday evening last week. The incident was promptly reported to all the relevant authorities, including the Financial Services Authority (FSA).

... Around 1,800 of the relevant customer records included name, address, mortgage account number and balance. The remainder of the records – the vast majority – listed the customer's name, mortgage account number and approval status.



Good reporter on this one!

http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=2376

Stolen NHS laptop contained details of 11,500 children

Names, addresses and dates of birth on laptop taken from office

By Tash Shifrin March 27, 2007

An NHS primary care trust has launched an investigation after a laptop containing names, addresses and dates of birth of 11,500 children was stolen from its offices.

Nottinghamshire Teaching PCT chief executive Wendy Saviour said three laptop computers were stolen on Wednesday 21 March, one of which held the data on child patients aged between eight months and eight years.

... But the PCT was unable to explain why the confidential information on thousands of children was held on the laptop. [Thank God someone asked the question! Bob] In a statement, the PCT said: “This is a matter that is currently under investigation and we wouldn't want to pre-empt the outcome of that ongoing investigation.”

... Gary Clark, EMEA vice=president of security firm SafeNet said: "It is of extreme concern that access to a stolen laptop containing the details of 11,000 young children was protected by nothing more than a password."

The use of passwords alone was "woefully inadequate", [I like this guy! Bob] he added. "Passwords need to be reinforced with stronger authentication. Encrypting the data and using smart cards or USB tokens to unlock the laptop will reduce the risk of unauthorised access."



Another incredibly stupid assertion...

http://fergdawg.blogspot.com/2007/03/hundreds-of-gmail-yahoo-msn-passwords.html

Hundreds Of Gmail, Yahoo, MSN Passwords Exposed By Entertainment Web Site

Paul McDougall writes on InformationWeek: Tuesday, March 27, 2007

A Los Angeles publisher of online lifestyle and entertainment magazines has inadvertently exposed the personal e-mail addresses and passwords for hundreds of its subscribers, InformationWeek has learned.

The victims are all members of sites operated by Splash Magazines Worldwide, which publishes local versions of its magazines under URLs like NYCSplash.com and LASplash.com.

The list of e-mail addresses and passwords for members' Gmail, Hotmail, Yahoo, and other accounts would turn up in the results of unrelated Google searches Monday if those searches happened to contain at least two keywords that matched the names of Splash members. InformationWeek confirmed that the security hole was still open as of 4 p.m. Monday.

Splash founder Larry Davis said in an interview that he was not aware of the security problem and did not know how it could have occurred. "We have a Webmaster who is supposed to know all about security," said Davis. [This is the same logic that “proves” the Chief Privacy Officer understands HTML. Bob]



Do these people listen to themselves? “These were unreadable until they were read.” “It must be the computer's fault!”

http://www.iberianet.com/articles/2007/03/27/news/news/news15.txt

SS numbers accessed

Tuesday, March 27, 2007 1:47 PM CDT By Randy Louis The Daily Iberian

CENTERVILLE — Rosters containing information, including Social Security numbers, of about 380 St. Mary Parish public school employees were accessed March 19 by a Yahoo! Web page search engine crawler.

St. Mary Parish schools Superintendent Donald Aguillard said the crawler violated the school district Web page by accessing a database that stored 2002 through 2004 staff development rosters.

These files were previously secure,” Aguillard said. “Yahoo!’s new aggressive Web crawler infiltrated the public server [If it did more than “click on a link” sue them! Bob] and our technology department responded immediately to the breach in security by addressing the following:

Contacting Yahoo! and demanding that our information be stricken from cached files,

notified all workshop participants of the possibility that their personal information was revealed,

while also contacting the Web page archiving services and demanding the removal of our cached pages.”

[Do any of these remove the data or change security settings? Bob]

Aguillard said the school system had a file that had been unreadable over the Internet until the Yahoo! search engine got to the public server. [perhaps they don't know what public means? Bob]

... Some of the steps Aguillard said the technology department did to secure the system was to protect all public files from current archiving engines and secure the school system Web site from robot crawlers. [Apparently not. Bob]



A report

http://www.ifex.org/en/content/view/full/82045/

FRONT LINE RELEASES DIGITAL SECURITY AND PRIVACY MANUAL

(27 March 2007) Are you a human rights worker who uses computers in your job? Are you afraid that your electronic work is not private and secure when it needs to be? If so, check out Front Line's indispensable "Digital Security and Privacy for Human Rights Defenders" manual.

The manual is divided into four parts that can be read in any order. Section One is about understanding your security needs and vulnerabilities. Section Two gives you handy advice on how to defend yourself, including protecting your work from viruses and spam attacks and getting around Internet censors. The third part tells you about restrictive legislation around the world, and the fourth section offers possible electronic insecurity scenarios you and your organisation might face, and some practical solutions.

The manual is available online, making it easy to skim through the various sections: http://www.frontlinedefenders.org/manual/en/esecman/



Another report...

http://www.raeng.org.uk/policy/reports/pdf/dilemmas_of_privacy_and_surveillance_report.pdf

Dilemmas of Privacy and Surveillance



I would expect any careful organization would do this.

http://blog.wired.com/business/2007/03/enough_about_me.html

Tuesday, March 27, 2007

Microsoft Sends Secret Dossier on Reporter, to Reporter

Imagine being asked one day, "Would you like to see your FBI file?" You'd say "Yes," right? But then ask yourself a different question: "How will it make you feel to know all that information?"

I recently got about as close as one can get to this experience. While reporting a story on Microsoft's video blogging initiative – something called Channel 9 – the dossier that Microsoft and its outside public relations agency Waggener Edstrom keeps on me accidentally ended up in my email inbox.

... The timing was so fortuitous that I wondered whether it was intentional. When I told Microsoft about it, they convincingly told me it was not.

... It also was strange to see just how many resources are aligned against me when I write a story about Microsoft.

... But it seemed clear from the memo that there were close to a dozen other people involved. Some transcribed the interviews I conducted; others kept notes on my every utterance for clues about what questions I might ask next and ultimately what my story would say; others briefed executives with questions I had asked and suggested good answers. Indeed, if you read the memo closely it's clear that my experience with Microsoft on this story was their end game. For something like six months prior they had been plotting to get Wired to write a story about Channel 9 and had dispatched three executives to meet with editors at the magazine in hopes of setting their hook.

To read the entire memo click here.

{Update 1) Waggener Edstrom President Frank Shaw's post on the Wired story and on the memo is up.

Read it here

{Update 2} Wired Editor in Chief Chris Anderson's post about the Wired story and the memo is up. Read it here



If it's new, you aren't sure you understand it, therefore you should attempt to stop it?

http://techdirt.com/articles/20070326/160131.shtml

Is Describing The Sporting Event You're Watching Copyright Infringement? How About Animating It?

from the so-says-some-sports-leagues dept

Last year, we noted that as various professional sports leagues were becoming increasingly ruthless in claiming ownership over any data associated with a sporting event, it seemed as thought (based on the reasoning of those leagues) it could actually be considered to be copyright infringement just to describe the sporting event you were attending. On the face of it, that sounds ridiculous -- especially since copyright law is clear that you can't own facts. But, leave it to sports leagues to deny that basic element of copyright law. In the past, Major League Baseball has been particularly aggressive on this front. For a period of time, they were trying to force sites to stop reporting real-time information on games in progress via graphical applets. Of course, it isn't too hard to go from there to wondering how a league would respond to a completely virtual recreation of the game in progress... and apparently, just such a debate is already happening.

Boing Boing points us to a discussion over whether an 3D animated replay of a cricket game is considered to be copyright infringement or not. It seems pretty ridiculous to think that it would be -- again, it's just taking the factual information from the game (which can't be copyrighted) and feeding it into a 3D model, such as a video game. Yet, as these video games get increasingly realistic, you can just imagine that the sports leagues are going to start crying foul (or, rather, demanding payment). Of course, that's silly. No one who can watch the actual game is going to prefer to watch an animated recreation instead -- so all the recreation is doing is attracting more attention to the game from those who are unable to watch it on TV. Yet, in this age, where people are being taught to believe that intellectual property rights mean that you have full control over everything, we're going to be seeing more and more challenges to things like these animated recreations.



Another tool....

http://www.govtech.net/magazine/story.php?id=104624

Online Resource for Identity Document Security Information

March 27, 2007 News Release

Former 9/11 Commission counsel Janice Kephart announces the launch of an online Identity Document Security Library, consisting of legal, technical and policy pieces regarding identity document security. Kephart, a nationally recognized border security expert, created the library to serve as a 'one-stop-shop' information portal for those seeking objective, credible information on the issue of identity document security.

The library contains federal, state and international legal materials; standards and best practices; federal, state and association activity, reports and letters; state leadership in identity document security; information on identity theft and counterfeiting; news and opinion pieces. Where possible, links to primary sources and Web sites are provided.



When you have the power to write your own National Security Letter?

http://www.pogowasright.org/article.php?story=20070328063811989

When Does An Anonymous Tip Justify a Search?

Wednesday, March 28 2007 @ 06:38 AM CDT - Contributed by: PrivacyNews - In the Courts

Under the Fourth Amendment, police need to have reasonable suspicion to stop and frisk a criminal suspect. This issue is particularly dicey when police are relying on an anonymous tip. The Supreme Court has held that anonymous tips must have sufficient indicia of reliability, and has outlined this standard in two key decisions: Alabama v. White upheld the use of an anonymous tip involving predictions that were corroborated by police, while Florida v. J.L. rejected a bare-boned tip that was merely descriptive. The question that divides this Eleventh Circuit panel is whether the anonymous tip in this case looks more like the one in White or the one in J.L.

Source - e-Notes (blog)

Related - U.S. v. Lindsey, 05-11273 (11th Cir., Mar. 27, 2007)



I didn't shoot you, my gun shot you.

http://www.zdnetindia.com/news/security/stories/173494.html

FBI chief blames computers for privacy flap

By Declan McCullagh, March 28, 2007

FBI Director Robert Mueller on Tuesday said secret "national security letters" are invaluable in unearthing telephone and e-mail logs and blamed computer snafus for deceiving Congress about how often the technique is used. [Doesn't this say, “We want all that computer data, but we don't understand computers?” Bob]

... The FBI once used 3x5 index cards to track use of the letters but then switched to a more modern database operated by the bureau's general counsel. But that database has never been linked to the FBI's home-brewed "Automated Case Support," a famously archaic system with IBM terminals as a front-end that has been the subject of a series of devastating internal critiques.

What that means is the only way to transfer information from one FBI database to the other is to manually retype it--a technologically backward approach that invites delays and errors.

... That, combined with other problems, led Justice Department Inspector General Glenn Fine to conclude that official reports to Congress "significantly understated" the actual number of national security letters. "We were unable to fully determine the extent of the inaccuracies because an unknown amount of data relevant to the period covered by our review was lost from the OGC database when it malfunctioned," his report said. [“We didn't back up our database.” Bob]

... Mueller also indicated he would oppose any requirement that the FBI keep one master database of national security letters--instead of having each of the 56 field offices keep its own records. [“...after all, there will never be any need to share information.” Bob]

... Instead of using a point-and-click interface, ACS is an IBM terminal-based application that uses function keys to navigate. It also lacks multimedia capabilities and the ability to save digital evidence in a convenient electronic format. [Circa 1970? Bob] An upgrade called Sentinel is supposed to be finished sometime in 2009.



I wonder why the existing global systems aren't usable?

http://techdirt.com/articles/20070327/101725.shtml

Justice Department Wasting Billions On Another Tech Debacle

from the haven't-we-seen-this-before? dept

Remember the famous FBI computer system? The one that was late, over-budget and was useless at fighting terrorists? The same one that some security experts decided it would be worth beginning a crime spree the day it was launched? The same one that was eventually scrapped entirely despite hundreds of millions of dollars spent? Well, it looks like the Justice Department may have another such system that they're wasting taxpayer money on. The Justice Department has been building a $5 billion (with a b) wireless communication system. However, a new audit says that the system is apparently "at a high risk of failure." Like the FBI's computer system, the system is "not on the path that was envisioned." And now, just like with the computer system, the Justice Department will spend many months examining whether its worth salvaging the system, or just throwing it away. Accountability, apparently, isn't something the Justice Department takes too seriously.



Just because you can do something, does not mean you should – at least you should think a bit first...

http://www.boston.com/news/local/articles/2007/03/27/galvin_sees_privacy_issue_on_patrick_site/

Galvin sees privacy issue on Patrick site

By Andrea Estes, Globe Staff | March 27, 2007

Secretary of State William Galvin said yesterday that Governor's Deval Patrick's new grass-roots website violated the privacy of Massachusetts voters by making their home addresses easily available to online visitors. Patrick's political committee later removed the house and apartment numbers, leaving only the street names.

... The site, devalpatrick.com, launched three days ago, [Note that errors can be corrected quickly. Bob] requires visitors to create a log-in and password to post opinions on an issue. During the registration process, users enter their name or phone number, and the website then provides a street address to make sure it has identified the right person. [What? You thought this wasn't automatic? How antiquated! Bob]

The problem, Galvin said, is that another person's last name or phone number could be entered on the site, and the user would see the home address of anyone with that name. Also, the voter list apparently included unlisted phone numbers. [and only a governor could get this information? Bob]

... Galvin said the voter list did not come from his office, which oversees elections, but a private vendor.



What happens when your legal strategy is to sue lots of easily intimidated people and hope they cave in quickly?

http://techdirt.com/articles/20070327/195455.shtml

RIAA Drops Another Case After Lawyer Points Out How Weak The Evidence Is

from the on-and-on-and-on dept

For years, the RIAA has been bullying all sorts of people with lawsuits over file sharing -- but the evidence they use has always been weak, at best. In the early years, before most people recognized this, they were forced to settle. But, more recently, lawyers have realized that pointing out how weak the evidence is will often make the RIAA turn and drop the case. They usually try to get out of paying legal fees, but even that's becoming more difficult. In the latest case (as usual, pointed out by Ray Beckerman) a strong letter pointing out all the problems with the RIAA's case has resulted in a very quick voluntary dismissal of the case. The lawyer's letter is absolutely worth reading, with the following being a key segment:

It is well documented that your clients' reliance on MediaSecurity (an admitted "non-expert;" UMG v. Lidor, East Dist NY No. 1:05-cv-01095-DGT-RML) and its overall method of identifying P2P copyright infringers is wholly unreliable and inadequate. See, e.g., February 23, 2007, deposition of the RIAA's expert. See also expert witness statement of Prof. Pouwelse and Dr. Sips and amicus curiae brief of the ACLU, Public Citizen, Electronic Frontier Foundation, American Association of Law Libraries, and ACLU Foundation of Oklahoma, in Capitol v. Foster decrying the RIAA's "driftnet" litigation strategy.

Such facts were known or reasonably should have been known to you and your law firm before suit against Mr. Merchant was filed. Thus, unless you and your office undertook additional independent investigation to identify Mr. Merchant as a person who actually has engaged in copyright infringement by illegal downloading, good faith basis for a Rule 11-compliant probable cause finding consistent with the Williams line of cases cited above simply did not exist to file the action. . . and does not exist now for it to be maintained.

Your clients apparently argue that Mr. Merchant's failure to respond to "settlement" demands justifies their lawsuit without other basis on which a finding of probable cause to sue could be claimed. You devoted the bulk of your letter advocating that position. As you know, however, that posture is repugnant to both Rule 408, Fed.Rul.Evid. and California Evidence Code §§ 1152 and 1154.

The Evidence Code sections are quite clear: settlement negotiations of all kinds may not be used to prove the validity of any claim or defense. Mr. Merchant has and had no more duty to respond to attempts to "sell" him one of your clients' boilerplate, non-negotiable $3750 settlements than he has to return cold calls from pushy life insurance salespeople. If your client (and your law firm?) are seeking probable cause shelter in a settlement negotiations house of straw (as suggested by your March 23 letter), all of you should consider the prevailing winds of the Evidence Code before making yourselves too comfortable. Straw will burn.



Tools & Techniques

http://www.eweek.com/article2/0,1759,2108196,00.asp?kc=EWRSS03119TX1K0000594

Cisco Unwires Surveillance Cameras

By Lisa Vaas March 27, 2007

Updated: The company's new cameras, video surveillance software, and scalable video recording and storage platform free users from dependence on a single control room and VCR technology.

Cisco is snipping the wires from hardwired surveillance cameras, rolling out IP cameras that hook into Cisco networks and that can be watched from any network point [Might be fun to hack! Bob]—not just the traditional central control room.



Unlimited” might be enough. Backup by email? This could be fun for the e-Discovery people...

http://www.infoworld.com/article/07/03/28/HNyahoounlimitedstorage_1.html?source=rss&url=http://www.infoworld.com/article/07/03/28/HNyahoounlimitedstorage_1.html

Yahoo to offer unlimited storage capacity for Web mail

Capacity upgrade will be rolled out to users over a period of several months

By Sumner Lemon, IDG News Service March 28, 2007

Yahoo will give users of its free Web-based e-mail service access to unlimited storage capacity starting in May, according to a post on a company blog.



Why are these published AFTER spring break?

http://www.vroomvroomvroom.com/GeekTravelGuide/

The Geek's Travel Guide: 25 Online Apps to Help Plan Your Trip


http://www.moneyfortherestofus.com/CheapPlaneTickets.html

15 Tips for Cheap Travel: #2b) How to Find Cheap Plane Tickets

March 26 Filed under Travel by Elizabeth | 8 comments



...and it isn't even illegal!

http://politics.slashdot.org/article.pl?sid=07/03/28/0236232&from=rss

John McCain's MySpace Page "Pranked"

Posted by kdawson on Wednesday March 28, @04:51AM

from the careful-who-you-leach-from dept.

Several readers let us know about a little problem with presidential hopeful John McCain's MySpace page. Looks as though some staffer didn't read the fine print of the "credit" clause when selecting a template for the page. The template author and CEO of Newsvine, Mike Davidson, noticed this and didn't care too much. But the McCain page was pulling an image from Davidson's site, costing him bandwidth every time someone visited the candidate's MySpace page. So Davidson changed the image in question to read: "Today I announce that I have reversed my position and come out in full support of gay marriage... particularly marriage between two passionate females." Here is Davidson's account of the "immaculate hack".



Interesting read.

http://www.technewsworld.com/rsstory/56547.html

TraceSecurity CTO Jim Stickley: Robbing Banks With Impunity

By Jack M. Germain E-Commerce Times Part of the ECT News Network 03/28/07 4:00 AM PT

TraceSecurity is a security-compliance firm that assists financial institutions with protecting their customer's personally identifiable information -- sometimes by attempting to break into their networks. "A few years ago this type of service was much like trying to sell ice to Eskimos," said CTO Jim Stickley. "Now people call us. They realize the need for security."

... Human nature never lets them down.

No comments: