Thursday, April 26, 2007

The MBA press release... TJX last updated their information March 28...

https://www.massbankers.org/pdfs/DataBreachSuitNR5.pdf

Massachusetts Bankers Association

CONTACT: Bruce E. Spitzer FOR IMMEDIATE RELEASE 617-523-7595

... The suit will seek to recover damages in the “tens of millions of dollars,”

... The three bankers associations represent nearly 300 banks.

... Cases of fraud due to the TJX breach have been reported from all over the world.

... Preliminary estimates of the costs vary from institution to institution, up to $25 dollars per card.

... "Protecting consumers is our number one priority" said Lindsey Pinkham, senior vice president of the Connecticut Bankers Association. "However, retail data breaches are getting larger and more frequent and we cannot continue to absorb the costs."



This pretty much sums up the majority view, I think.

http://blogs.pcworld.com/staffblog/archives/004222.html

Wednesday, April 25, 2007 1:25 PM PT Posted by Tom Spring

TJX Data Breach Gets Even Uglier

What is it going to take to make companies better protect our data? I'm not convinced lawsuits are the solutions. But they sure make me feel better.

... I spoke to Massachusetts Bankers Association's spokesperson Bruce Spitzer. He gave me an earful. "Major retailers have not stepped up to the plate and protected their customer's financial data," he told me. "These companies have not been held accountable. We plan on setting an example with TJX."

Go get 'em Spitzer. But you'll have to get in line.

... At this rate TJX is going to have to spend more money on legal fees than upgrading its IT department and better protecting customer data.

I have zero sympathy for TJX.

... TJX says that it delayed telling its customers, not (as I suspect) to avoid hurting holiday sales, but in order to notify law enforcement first.



“Junior Doctors” are like Interns or Residents in the US?

http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/04/25/ndocs125.xml

Security lapse in junior doctor jobs website

By Nic Fleming, Medical Correspondent, and Stephanie Condron Last Updated: 8:46pm BST 25/04/2007

An investigation was launched tonight after a serious security breach on the website used by medical students applying for junior doctor positions.

A Channel 4 news reporter was able to [break the law? Bob] access applicants’ confidential personal details including their addresses, telephone numbers, criminal convictions, sexual orientation and religion, following a tip off from a doctor. Details were available to anyone with the right internet address (URL) for at least nine hours today.

The data on medical students applying for foundation course posts to become junior doctors had been stored on Microsoft Excel files and placed on the NHS Medical Training Application Service website.

The Information Commissioner tonight promised to investigate the security breach, which was closed half an hour after the Department of Health was informed at 4.35pm.

... “It doesn’t address the issue of how it got there in the first place and that still needs a very serious inquiry, a proper in-depth look into how this possibly could have happened, particularly when we have known for such a long time that there are concerns about this website.



How worthless are passwords?

http://www.fourthamendment.com/blog/

04/26/07 07:26:06 am, by fourth Categories: General

10th Cir.: Elderly father who had no knowledge of computers had apparent authority to consent to search son's password protected computer

From a reader, a seriously troubling case from the Tenth Circuit not supplied by Lexis this morning:

The police conducted a knock-and-talk in a child porn case based on an investigation of a child porn website, and defendant's 91 year old father was the only person at home. A few leading questions later, nothing pertaining to equal access to the computer, the father was asked to consent to a search of his 51 year old son's bedroom where, with his government computer equipped with EnCase, the officer opened child porn pictures. The Tenth Circuit found the officers reasonably could rely on the father's apparent authority to consent to a search of his adult son's room, a finding that defies common sense (few 91 year olds know a thing about computers, and the record show that this one did not). The son was contacted, and the police stopped the search and waited for him and then arrested him. The court noted that EnCase enables the officers to by-pass all passwords on the computer. This computer was password protected, but that did not bother the court. The majority of the court essentially puts the burden on the defendant to show that password protection of computers is common and shows an expectation of privacy like a locked container, and finds that he did not in this case. United States v. Andreas, 2007 WL 1207081 (10th Cir. April 25, 2007) (2-1).



In a society of “ubiquitous surveillance” these laws will need to be reviewed. “Evidence is evidence!”

http://news.com.com/2100-1047_3-6179002.html?part=rss&tag=2547-1_3-0-5&subj=news

Police blotter: Secret recording inadmissible against bus driver

By Declan McCullagh Story last modified Wed Apr 25 08:13:11 PDT 2007

Police Blotter is a weekly CNET News.com report on the intersection of technology and the law.

What: Milwaukee school bus driver's abuse of a child is discovered after parents place a voice-activated recorder in son's backpack.

When: Wisconsin Court of Appeals rules April 3.

Outcome: Court says in 2-1 vote that recording cannot be used against bus driver in court because it was not obtained by police. [Like the Rodney King video? Bob]

What happened, according to court documents:
Sometime around April 2003, Jacob Mutulo's parents began worrying that their 9-year-old son was being mistreated by the school bus driver.

According to a report that they placed on their own Web site, the school reported earlier in that school year that Jacob had been yelling and shouting in class and was reluctant to get on the school bus to return home. And the bus driver, Brian Duchow, complained that Jacob had been spitting at him.

Because Jacob has Down syndrome, the parents couldn't easily find out directly from him what was going on. According to Milwaukee radio station WTMJ AM 620, Jacob weighed about 50 pounds at the time and was not able to carry on a normal conversation. (He had also been diagnosed with Attention Deficit Hyperactivity Disorder.)

His frustrated parents eventually came to suspect that Jacob's poor behavior at school had something to do with the bus driver who had started at the beginning of the school year. They placed a voice-activated tape recorder in Jacob's backpack and listened to it at the end of the day.

It was a remarkably disturbing recording. The tape revealed Duchow yelling such things as, "Stop before I beat the living hell out of you" and "I'm going to slap the hell out of you." Another statement was: "Do I have to tape your mouth shut, because you know I will."

The parents called the police, and Milwaukee Police Officer Steven Wells interviewed Duchow after listening to the recording for himself. The police chose not to carry out their own electronic interception. [Will they now have to? Is the tape “probable cause?” Bob]

Duchow eventually was charged with intentionally causing bodily harm to a child and with disorderly conduct. He admitted to slapping the boy twice that day. What makes this case relevant to Police Blotter is that Duchow asked the judge to suppress the recording so it could not be used against him.

After the trial judge denied the request, Duchow pleaded guilty to intentionally causing bodily harm to a child--but reserved his right to appeal.

Wisconsin state law generally prohibits the disclosure of intercepted conversations, leaving the appeals court in a bit of a tight spot. The exceptions to that general rule apply to police and to people working in concert with police.

A majority of the Wisconsin appeals court ruled that the recording was lawfully obtained--but could not be lawfully disclosed because it was not done in cooperation with police--and reversed the lower court's ruling. The case was sent back to a circuit judge, and it's unclear what will happen next.

If the police had bugged the bus the next day and remained nearby to intervene, if necessary, this would have never become an issue.

Excerpts from the Wisconsin appeals court's majority opinion:
If the interception in this case had been obtained "under color of law"--that is, through police involvement--references to the interception in the complaint would be permitted. A repeat interception in the present case could have been supervised by law enforcement with the resulting information obtained "under color of law."

That would have made the contents of such a recording admissible in this felony prosecution under Wis. Stat. 968.29(3) and properly disclosed in the complaint. However, in the present case, Duchow pleaded guilty and, therefore, the content of the interception was not used at trial. Whether the complaint itself, with disclosure of the content of the interception, would have been admissible at trial, we need not decide.

Jacob's parents acted responsibly and in the best interests of their child when they took reasonable action to protect their child from a reasonably suspected threat of harm. As the private party under the rationale of the Waste Management case, they promptly disclosed what they recorded to a law enforcement officer. There was nothing more appropriate they could have done under the circumstances.

Likewise, the officer acted appropriately in investigating the information that properly came to his attention. He interviewed Duchow and could properly communicate what he learned from the interview.

However, the recording by Jacob's parents, while "not unlawful," was not one they obtained "under color of law." Therefore, law enforcement officers or agents were not permitted by Wis. Stat. 968.29(3) to disclose the contents of the interception because they had not obtained the interception from someone acting under color of law.

This problem might have been easily remedied if another secret recording under the supervision of the police had occurred. Had that step been taken, we have little doubt that such a follow-up interception would have been obtained under color of law and admissible.

For all the foregoing reasons, we conclude that Duchow's electronically intercepted communications were "oral communications" under Wis. Stat. 968.27(12), that Jacob's parents properly consented on his behalf to the electronic interception under Wis. Stat. 968.31(2)(c), that they properly delivered the recording to law enforcement and that law enforcement officers properly used the information they learned in their investigation.

However, because the interception was not obtained under color of law, the contents of the interception were not admissible in the felony prosecution against Duchow. Therefore, we reverse and remand to the trial court for further proceedings consistent with this opinion.

Excerpts from the dissent by Judge Patricia Curley:
I agree with the majority's conclusions that the recorded statements of Duchow were oral communications and that the child victim's parents could give vicarious consent to tape-record the conversation the child victim had with Duchow. However, I disagree with the majority's conclusion that the tape recording was inadmissible.

Here, the child victim's parents consented on the child's behalf to intercept the conversation between the child and Duchow, and the recording was turned over to the police. Further, their purpose in doing so was not to commit "a criminal or tortuous act." Thus, following the Maloney holding, the tape was admissible.

Moreover, under the circumstances present here, it seems illogical and contrary to common sense to approve the parents' actions to protect their child by tape-recording the conversation but prevent the state from prosecuting the offenses revealed by the recording.

I am also concerned with the majority's solution that "(t)his problem might have been easily remedied if another secret recording under the supervision of the police had occurred."

Clearly, this child had already been victimized by Duchow. The tape revealed Duchow yelling such things as, "Stop before I beat the living hell out of you," and "I'm going to slap the hell out of you."

Duchow also admitted to the police that he had slapped the child twice on the bus ride. To suggest that the victim be subjected to another such incident, just to make the recording admissible, is cruel and inhumane.

Therefore, although I agree with the majority's analysis in all other respects, I respectfully dissent with regard to the admissibility of the recordings at trial.



Thieves promise: “We will do better!”

http://www.tech.co.uk/computing/mobile-computing/news/1-in-5-peoples-data-stolen-so-far-in-2007?articleid=263317558

1 in 5 people's data stolen so far in 2007

Laptop thefts highlighted at InfoSecurity Europe event

Dan Grabham 25 Apr 2007 13:31

One in every five people in the UK have had their personal information stolen because of computer theft so far in 2007. That's according to a new survey from laptop security vendor Kensington



Is it the same in the US?

http://www.express.co.uk/posts/view/5316

PRESS PRIVACY COMPLAINTS RISING

Tuesday April 24,2007

The number of people taking privacy and intrusion issues to the Press Complaints Commission (PCC) is growing - and dwarfs the number of cases taken to courts, according to its annual report.



So where are my virtual lawyers?

http://blogs.zdnet.com/Berlind/?p=447

Filtering Boston’s free municipal Wi-Fi net: legal? Web’s lawyer not so sure

Posted by David Berlind @ 11:26 am April 25th, 2007

One of my favorite people — Danny Weitzner, general counsel to the World Wide Web Consortium — is chiming in on the news that the City of Boston's free municipal Wi-Fi is selectively filtering access to certain Web destinations like Boing Boing (the technical culprit was later identified). But in a single blog post, Weitzner nails the legality of such filtering as well as how its defeating the purpose of that sort of Internet access in the first place. Given the Web's role in public discourse, such commentary is befitting of its offical lawyer:

Various people (including David Sheets, a student of mine at MIT, and Seth Finkelstein) have pointed out over the last few days that the ‘free’ municipal WiFi service offered by the City of Boston comes with mandatory content filtering that blocks all kinds of sites which are not even close to illegal nor are they sources of pornography that might be considered harmful to children… If the City is allowed to do this, then they can block just about anything: Web sites operated by the opposing political party, critiques of the Big Dig, not to mention http://yankees.mlb.com/. One has to ask whether this is really a path that any city would want to open up for itself?…. As a constitutional matter, it’s not quite clear whether the government can require government-funded Internet service providers to filter content. In United States v. American Library Association, 539 U.S. 194 (2003), the US Supreme Court decided that the Congress could require libraries receiving federal Internet access subsidies (the e-rate) to filter out porn. However, it’s not clear whether this case applies to the muni Wifi situation….. For what purpose is muni wifi offered? [Isn't] it precisely to create an expanded public forum to increase the flow of information and new web services around the city?


Is this related? (It will likely create more problems than it solves.)

http://techdirt.com/articles/20070425/180418.shtml

Ohio University Says No File Sharing Allowed

from the throwing-out-the-baby-with-the-bathwater dept

While some universities have fought back against RIAA complaints about their students using file sharing for making unauthorized copies of content, it appears that Ohio University is going to the opposite extreme. Slashdot points out that the university has announced that all P2P file sharing is banned as of this coming Friday. The university gives a variety of reasons for it and seems to bounce back and forth between rationales. It may be because file sharing could overwhelm network resources, though they give no indication that current file sharing systems have actually been a problem -- just that it could be a problem. Then they claim that file sharing could transmit bad stuff like viruses and spyware. Of course, so can email and the web, but the university doesn't appear to be banning the use of either of those things. Then, finally, the university brings up the real reason for the ban. Apparently, staff at the university are sick of dealing with those new prelitigation letters from the RIAA. Rather than following in the footsteps of the University of Nebraska and sending the RIAA a bill for time wasted, Ohio University has decided it's best to just ban P2P apps altogether. Of course, while they have a "partial list" of banned apps, the description is so vague, it's unclear what might get you kicked off the university network. Something like Skype is P2P and uses up bandwidth -- so based on some of the university's reasoning, it too should be banned. It's a sad statement of the times that an institution designed for educating and learning about new things would decide to completely shut off any use of powerful technologies that have plenty of perfectly legitimate uses just because some backwards industry group can't figure out how to change its outdated business models.



Includes privacy and forensic topics

http://www.bespacific.com/mt/archives/014681.html

April 25, 2007

Report of the Defense Science Board Task Force on Defense Biometrics

Report of the Defense Science Board Task Force on Defense Biometrics, March 2007 (178 pages, PDF). "The final reports includes overall findings and recommendations that focus on information management and sharing; R&D, material and technology; issues beyond DoD; issues internal to DoD; DoD organizational issues; and legal and privacy issues."



I haven't reviewed it yet.

http://chiroeco.com/news/2007/April/HHS.php

HHS launches new Web site on HIPAA privacy

The U.S. Department of Health and Human Services (HHS) launched an enhanced Web site to make it easier for consumers, healthcare providers, and others to get information about how the HHS enforces health information privacy rights and standards.

The new Web site coincides with the fourth anniversary of the enforcement of the HIPAA Privacy Rule.

The Web site provides comprehensive information about the Privacy Rule, which creates important federal rights and requirements to protect the privacy of personal health information. The enhanced Web site, www.hhs.gov/ocr/privacy/enforcement, provides information for consumers, healthcare providers, health plans, and others in the health care industry about HHS’s compliance and enforcement efforts.



“We are prepared to start considering meetings to discuss future planning to establish a timeline for thinking about moving forward.”

http://www.bespacific.com/mt/archives/014663.html

April 24, 2007

Privacy and Civil Liberties Board Delivers First Report to Congress

Press release: "The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), which created the Privacy and Civil Liberties Oversight Board (Board), requires that "[n]ot less frequently than annually, the Board shall prepare a report to Congress, unclassified to the greatest extent possible...on the Board's major activities during the preceding period." This report discusses the Board’s activities from its first meeting on March 14, 2006, at which the Members were sworn in and an Executive Director was appointed, through March 1, 2007. This report contains no classified information."

  • Privacy and Civil Liberties Board First Annual Report to Congress, March 2006 - March 2007 (49 pages, PDF).



Amusing

http://www.bespacific.com/mt/archives/014671.html

April 25, 2007

Research Study on Business Journalism Blogging Released by Reynolds Center

Press release: "Three-fourths of the nation's largest newspapers now offer blogs on business-related topics, according to a study released today by the Donald W. Reynolds National Center for Business Journalism at Arizona State University. These popular online Web journals written by reporters get breaking news to readers more quickly, according to 60 percent of the business bloggers who responded to the study. However, more than half of respondents also said this also takes away from their regular reporting time."


Dilbert on Corporate Blogs... Be afraid!

http://www.unitedmedia.com/comics/dilbert/archive/images/dilbert2007458220426.gif



These robots will make taking your money even easier! “Beep! Stick 'em up! Beep!”

http://hardware.slashdot.org/article.pl?sid=07/04/25/2232236&from=rss

Google, Intel, Microsoft Fund Robot Recipes

Posted by samzenpus on Wednesday April 25, @10:00PM from the cook-until-sentient dept. Robotics Google Intel Microsoft

Dotnaught writes "Google, Intel, and Microsoft are funding what may become a robot invasion. Money from the three tech companies has enabled researchers at Carnegie Mellon University to create a new series of Internet-connected robots that almost anyone can build using off-the-shelf parts. These "recipes" describe how to build a robot that connects to the Internet using common parts and a $349 Qwerk controller from Charmed Labs."



I suppose we could hire Chinese students to explain the problems to our kids, but who will explain it to the “educators?”

http://science.slashdot.org/article.pl?sid=07/04/25/1625216&from=rss

Encouraging Students to Drop Mathematics

Posted by ScuttleMonkey on Wednesday April 25, @03:33PM from the math-be-tough-let's-go-shoppin dept. Education Math

Coryoth writes "The BBC is reporting that students in the UK are being encouraged to drop math at the senior levels. It seems that schools are seeking to boost their standing on league tables by encouraging students not to take 'hard' subjects like mathematics, in favor of easier subjects in which they are assured good grades. [GOV101 Meeting government education goals the easy way Bob] The result is Universities being forced to provide remedial math classes for science students who haven't done math for two years. The BBC provides a comparison between Chinese and UK university entrance tests — a comparison that makes the UK look woefully behind."



England is really, really, really into surveillance... Note how simple it is to generate publicity given the right technology and a photogenic subject.

http://news.yahoo.com/s/nm/20070425/od_uk_nm/oukoe_uk_cheese;_ylt=AgDXtxuRCbzc5YvjWGpWYjjMWM0F

Maturing British cheese becomes Internet star

Wed Apr 25, 1:29 PM ET

LONDON (Reuters) - A large English cheddar cheese has become a star of the Internet, attracting more than 1 million viewers to sit and stare at it as it slowly ripens.

First placed in front of a webcam in late December, the Westcombe cheddar from West Country Farmhouse Cheesemakers leaped to public attention in early February and has since attracted viewers from 119 countries.

"The hits went over 1 million this morning. It has been a real challenge keeping the cheese up and running with all the interest it has generated," a spokesman for the company running the website, www.cheddarvision.tv, said on Wednesday.

No comments: