Saturday, January 13, 2007

Is this just bad reporting or acurate reporting of bad management?

http://www.businessweek.com/ap/financialnews/D8MJSR0O1.htm

MoneyGram says consumer info accessed

MINNEAPOLIS January 12, 2007, 1:03PM EST

MoneyGram International Inc., a global payment services provider, announced Friday that a company server with consumer information for about 79,000 bill payment customers was unlawfully accessed over the Internet last month.

The company said that it had not been able to determine if any information was actually stolen, [“We work hard to be this ignorant...” Bob] but the company was notifying customers that someone may have viewed their personal data.

The information involved did not include Social Security or driver's license numbers. It did include the names, addresses, phone numbers -- and in some cases -- the bank account numbers of MoneyGram customers.

... "It was an isolated incident involving only those consumers who made payments to a single biller, [How can they know that if they don't know what informations was accessed? Bob] and we are working with law enforcement in the investigation," said Vicki Keller, a MoneyGram vice president, in a prepared statement.



...so, there is no reason to protect Social Security numbers?

http://cairns.typepad.com/blog/2007/01/egovernment_and.html

January 11, 2007

E-Government and Privacy Rights

On Dec 29, the U.S. District court for hte Southern District of Ohio in Lambert v. Hartman, held that Individuals do not have a constitutionally protected privacy interest in their social security numbers. The plaintiff received a speeding ticket which prompted the police officer to record her name, address, birth date, driver's license number and social security number. The ticket was posted on the website of the local court clerk. This led to identity theft where a third-party opened a credit card and fraudlently purchased merchandise in the plaintiff's name. She filed suit against the court clerk. The court refused to recognize the financial interest of the plaintiff as rising to a level significant enough to deserve constitutional protection. "Plaintiff's alleged privacy interest in her [personal information] do[es] not implicate either a fundamental right or one implicit in the concept of ordered liberty," the court concluded. For extended quotes from the case, see here.

[ Lambert v. Hartmann, 2006 U.S. Dist. LEXIS 93926 (S.D. Ohio December 29, 2006): Bob]



Could this be a model for other industries also? (Imagine a swarm of fanatical geeks monitoring Micro Center and alerting a blog when DVD go on sale...)

http://news.yahoo.com/s/ap/20070113/ap_on_hi_te/dining_wars

Blog wields power in restaurant world

By ADAM GOLDMAN, AP Business Writer Fri Jan 12, 8:50 PM ET

Ben Leventhal and Lockhart Steele are a pair of bloggers fighting a guerrilla war against the city's publicists. Nearly every day, the two provide restaurant information on their popular Web site, Eater.com., posting tidbits that publicists aren't ready to release and traditional journalists haven't managed to print.

Thanks to an army of hungry tipsters, Leventhal and Steele are irking restaurateurs, chefs and reporters alike with their timely scoops. They have broken stories about restaurant closings and the comings-and-goings of chefs, and their success has led to a new venture in Los Angeles.

There is also talk of stalking San Francisco's eateries and possibly delving into one or two other major cities. [Denver? Bob]

The ascendancy of Eater.com is yet another example of the transformation in how news is disseminated in a blog-driven world. With sites like Eater.com, Chowhound.com and Thestrongbuzz.com, no longer do restaurant-obsessed New Yorkers have to wait for a weekly food and dining section in a newspaper or magazine to get the lowdown.

... Leventhal and Steele's site attracts tens of thousands of readers a day and led the influential Food & Wine magazine to call Eater "required reading" and dub them "intrepid web masters" for shaking up the eating scene.

Friday, January 12, 2007

Sounds like they have everything under control... NOT!

http://www.ktvb.com/news/localnews/stories/ktvbn-jan1107-stolen_data.2df71504.html

Stolen UI computers likely have personal data for 70k

02:33 PM MST on Thursday, January 11, 2007 KTVB.COM

BOISE - Three desktop computers have disappeared from the University of Idaho’s Advancement Services office – and now school officials say the personal data of alumni, donors, employees and students may be in danger.

UI says someone stole the computers – and an internal investigation shows that as many as 70,000 social security numbers, names and addresses were stored on the hard drives six months before the theft.

School officials tell NewsChannel 7 that it is unclear if the data was still on the computers at the time of the theft. [“We have no idea what data is stored where.” Bob]

There is currently no evidence any of the data has been misused. The computers are still missing.

The school says it will notify more than 331,000 people who may have been exposed [“Remember, we don't have a clue...” Bob] – with those people living in the state of Idaho receiving an e-mail, and out-of-state folks will receive notice by US Mail. [“Because the Internet only works in Idaho...” Bob]

We deeply regret this incident and the worry and inconvenience it may cause, but we want to assure donors, alumni, students and employees that the University of Idaho is strengthening its processes for securing and storing our sensitive data,” University President Tim White said in a prepared statement.

The computers went missing over the Thanksgiving weekend – and school officials notified Moscow police, who forwarded the case on to the Latah County Sheriff’s Office. Law enforcement officials asked the school to delay notifying those potentially affected.

A special website has been set up – www.identityalert.uidaho.edu, and ahotline established – (866) 351-1860.

UI says it is taking steps to improve security, including physical and digital methods.



This was awfully quick...

http://www.timesdispatch.com/servlet/Satellite?pagename=RTD/MGArticle/RTD_BasicArticle&c=MGArticle&cid=1149192605701

Arrest made in Altria laptop case

Richmond Times-Dispatch Thursday, January 11, 2007

New York police have made an arrest in the theft of five laptops containing the names of about 18,000 past and present employees of Altria, the parent company of Philip Morris USA in Richmond.

Altria spokeswoman Lisa Gonzalez said Philip Morris has sent e-mails and letters to many of its 6,300 area employees whose names, social security numbers and other pension-related information were found on the stolen computers.

The theft occurred in late November in the New York City offices of Towers Perrin, which handles pension and benefit consulting for Altria. Employees at other branches of the company, including Kraft Foods and Philip Morris International, also have been notified.

Altria and Towers Perrin waited to inform the affected employees until after police made an arrest on Dec. 28. Towers Perrin said in its letter that "we have no reason to believe that your information has been misused."

Dewayne Rivers, 30, of Brooklyn, has been charged in the theft. Towers Perrin described Rivers as "a junior-level administrative employee" at its New York offices.

Rivers was released Dec. 28 on $10,000 bail and has an April 5 court date, a spokesman for the Manhattan District Attorney's office said today.


...and this was quite predictable.

http://www.upi.com/NewsTrack/view.php?StoryID=20070111-075324-5127r

Report: VA bridled at security requests

WASHINGTON, Jan. 11 (UPI) -- The Department of Veterans Affairs in Washington didn't take seriously congressional requests to safeguard veterans' information, The Hill reported.

The Capitol Hill newspaper said a tape recording of a meeting between lawmakers and VA officials shows a veterans affairs official accusing Congress of engaging in a power play over the handling of veterans' personal data stored on computers.

The Hill published a portion of the tape in which VA official Dr. Joseph Francis said: "If you want to know what's the real purpose of the data call, read Machiavelli. It's about power; it's about Congress saying, 'VA, you're accountable to us.'"

Security questions originally arose last May when a Veterans Affairs employee took his work computer home, where and it was subsequently stolen. The computer contained the medical and personal information on some 26.5 million veterans and military personnel.

The laptop was eventually recovered, but the theft raised an alarm on Capitol Hill to protect such information in the future.

The Hill said it obtained the recording from a researcher who attended the meeting. [Another one of those pesky security leaks made possible by technology. Bob]



Attention e-Discovery experts! (The Maalox is in the medicine chest...)

http://www.nytimes.com/2007/01/11/technology/11email.html?ex=1326171600&en=499e65a9fea2201d&ei=5088&partner=rssnyt&emc=rss

Firms Fret as Office E-Mail Jumps Security Walls

By BRAD STONE January 11, 2007

SAN FRANCISCO, Jan. 10 — Companies spend millions on systems to keep corporate e-mail safe. If only their employees were as paranoid.

A growing number of Internet-literate workers are forwarding their office e-mail to free Web-accessible personal accounts offered by Google, Yahoo and other companies. Their employers, who envision corporate secrets leaking through the back door of otherwise well-protected computer networks, are not pleased.

“It’s a hole you can drive an 18-wheeler through,” said Paul D. Myer, president of the security firm 8E6 Technologies in Orange, Calif.

It is a battle of best intentions: productivity and convenience pitted against security and more than a little anxiety.

Corporate techies — who, after all, are paid to worry — want strict control over internal company communications and fear that forwarding e-mail might expose proprietary secrets to prying eyes. Employees just want to get to their mail quickly, wherever they are, without leaping through too many security hoops.

Corporate networks, which typically have several layers of defenses against hackers, can require special software and multiple passwords for access. Some companies use systems that give employees a security code that changes every 60 seconds; this must be read from the display screen of a small card and typed quickly.

That is too much for some employees, especially when their computers can store the passwords for their Web-based mail, allowing them to get right down to business.

So far, no major corporate disasters caused by this kind of e-mail forwarding have come to light. But security experts say the risks are real. For example, the flimsier security defenses of Web mail systems could allow viruses or spyware to get through, and employees could unwittingly download them at the office and infect the corporate network.

Also, because messages sent from Web-based accounts do not pass through the corporate mail system, companies could run afoul of federal laws that require them to archive corporate mail and turn it over during litigation.

Lawyers in particular wring their hands over employees using outside e-mail services. They encourage companies to keep messages for as long as necessary and then erase them to keep them out of the reach of legal foes. Companies have no control over the life span of e-mail messages in employees’ Web accounts.

“If employees are just forwarding to their Web e-mail, we have no way to know what they are doing on the other end,” said Joe Fantuzzi, chief executive of the information security firm Workshare. “They could do anything they want. They could be giving secrets to the K.G.B.”

Hospitals have an added legal obligation to protect patient records. But when DeKalb Medical Center in Atlanta started monitoring its staff use of Web-based e-mail, it found that doctors and nurses routinely forwarded confidential medical records to their personal Web mail accounts — not for nefarious purposes, but so they could continue to work from home.

In the months after the hospital began monitoring traffic to Web e-mail services, it identified “a couple hundred incidents,” said Sharon Finney, DeKalb’s information security administrator. “I was surprised about the lack of literacy about the technology we depend on every day,” she said.

DeKalb now forbids the practice, and uses several software systems that monitor the hospital’s outbound e-mail and Web traffic. Ms Finney said she still catches four to five perpetrators a month trying to forward hospital e-mail.

The Web mail services may also be prone to glitches. Last month, Google fixed a bug that caused the disappearance of “some or all” of the stored mail of around 60 users. A week later, it acknowledged a security hole that could have exposed its users’ address books to Internet attackers.

... Many corporate technology professionals express the fear that Google and its rivals may actually own the intellectual property in the e-mail that resides on their systems. [Huh? Bob] Gmail’s terms of service, however, state that e-mail belongs to the user, not to Google. The company’s automated software does scan messages in Gmail, looking for keywords that might generate related text advertisements on the page. A Google spokeswoman said the company has an extensive privacy policy to ensure no humans at Google read user e-mail.



New term?

http://www.azstarnet.com/allheadlines/164048.php

Guest Opinion: Bruce Schneier

Technology giving DPS more power to spy on us

Tucson, Arizona | Published: 01.11.2007

The Arizona Department of Public Safety has a new law-enforcement tool: a car-mounted license-plate scanner. Similar to a radar gun, it reads the license plates of moving or parked cars — 250 or more per hour — and links with remote police databases, immediately providing information about the car and owner.

On the face of it, this is nothing new. Police have always been able to run a license plate. The difference is they would do it manually, and that limited its use. It simply wasn't feasible for police to run the plates of every car in a parking garage or every car that passed through an intersection. What's different isn't the police tactic, but the efficiency of the process.

Technology is fundamentally changing the nature of surveillance. Years ago, surveillance meant trench-coated detectives following people down streets. It was laborious and expensive and was used only when there was reasonable suspicion of a crime. Modern surveillance is the policeman with a license-plate scanner, or even a remote license-plate scanner mounted on a traffic light and a policeman sitting at a computer in the station.

It's the same, but it's completely different. It's wholesale surveillance. [I've been calling it “ubiquitous surveillance” but this is a better term. Lots of people probably don't understand “ubiquitous” Bob] And it disrupts the balance between the powers of the police and the rights of the people.

Wholesale surveillance is fast becoming the norm. Automatic toll-collection systems record when individual cars pass through toll booths. We can all be tracked by our cell phones. Our purchases are tracked by banks and credit-card companies, our telephone calls by phone companies, our Internet surfing habits by Web site operators.

The effects of wholesale surveillance on privacy and civil liberties are profound; but, unfortunately, the debate often gets mischaracterized as a question about how much privacy we need to give up in order to be secure. This is wrong. It's obvious that we are all safer when the police can use all techniques at their disposal. What we need are corresponding mechanisms to prevent abuse and that don't place an unreasonable burden on the innocent. [I agree! Bob]

Throughout our nation's history, we have maintained a balance between the necessary interests of the police and the civil rights of the people.

The search-warrant process, as prescribed in the Fourth Amendment, is such a balancing method. So is the minimization requirement for telephone eavesdropping: The police must stop listening to a phone line if the suspect under investigation is not talking.

For license-plate scanners, one obvious protection is to require the police to erase data collected on innocent car owners immediately and not save it. The police have no legitimate need to collect data on everyone's driving habits. Another is to allow car owners access to the information about them used in these automated searches and to allow them to challenge inaccuracies.

We need to go further. Criminal penalties are severe in order to create a deterrent, because it is hard to catch wrongdoers. As they become easier to catch, a realignment is necessary. When the police can automate the detection of a wrongdoing, perhaps there should no longer be any criminal penalty attached. For example, both red-light cameras and speed-trap cameras should issue citations without any "points" assessed against the driver. [Interesting argument. Not sure I agree. Bob]

Wholesale surveillance is not simply a more efficient way for the police to do what they've always done. It's a new police power, one made possible with today's technology and one that will be made easier with tomorrow's.

And with any new police power, we as a society need to take an active role in establishing rules governing its use. To do otherwise is to cede ever more authority to the police.



Bruce again. Here's an article that explains why all those stolen laptops with password aren't as secure as the victim organizations pretend...

http://www.wired.com/news/columns/0,72458-0.html?tw=rss.politics

Secure Passwords Keep You Safer

By Bruce Schneier 02:00 AM Jan, 11, 2007

Ever since I wrote about the 34,000 MySpace passwords I analyzed, people have been asking how to choose secure passwords.

My piece aside, there's been a lot written on this topic over the years -- both serious and humorous -- but most of it seems to be based on anecdotal suggestions rather than actual analytic evidence. What follows is some serious advice.

The attack I'm evaluating against is an offline password-guessing attack. This attack assumes that the attacker either has a copy of your encrypted document, or a server's encrypted password file, and can try passwords as fast as he can. There are instances where this attack doesn't make sense. ATM cards, for example, are secure even though they only have a four-digit PIN, because you can't do offline password guessing. And the police are more likely to get a warrant for your Hotmail account than to bother trying to crack your e-mail password. Your encryption program's key-escrow system is almost certainly more vulnerable than your password, as is any "secret question" you've set up in case you forget your password.

Offline password guessers have gotten both fast and smart. AccessData sells Password Recovery Toolkit, or PRTK. Depending on the software it's attacking, PRTK can test up to hundreds of thousands of passwords per second, and it tests more common passwords sooner than obscure ones.

So the security of your password depends on two things: any details of the software that slow down password guessing, and in what order programs like PRTK guess different passwords.

Some software includes routines deliberately designed to slow down password guessing. Good encryption software doesn't use your password as the encryption key; there's a process that converts your password into the encryption key. And the software can make this process as slow as it wants.

The results are all over the map. Microsoft Office, for example, has a simple password-to-key conversion, so PRTK can test 350,000 Microsoft Word passwords per second on a 3-GHz Pentium 4, which is a reasonably current benchmark computer. WinZip used to be even worse -- well over a million guesses per second for version 7.0 -- but with version 9.0, the cryptosystem's ramp-up function has been substantially increased: PRTK can only test 900 passwords per second. PGP also makes things deliberately hard for programs like PRTK, also only allowing about 900 guesses per second. [“Only” Bob]

When attacking programs with deliberately slow ramp-ups, it's important to make every guess count. A simple six-character lowercase exhaustive character attack, "aaaaaa" through "zzzzzz," has more than 308 million combinations. And it's generally unproductive, because the program spends most of its time testing improbable passwords like "pqzrwj."

According to Eric Thompson of AccessData, a typical password consists of a root plus an appendage. A root isn't necessarily a dictionary word, but it's something pronounceable. An appendage is either a suffix (90 percent of the time) or a prefix (10 percent of the time).

So the first attack PRTK performs is to test a dictionary of about 1,000 common passwords, things like "letmein," "password1," "123456" and so on. Then it tests them each with about 100 common suffix appendages: "1," "4u," "69," "abc," "!" and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations.

Then, PRTK goes through a series of increasingly complex root dictionaries and appendage dictionaries. The root dictionaries include:

* Common word dictionary: 5,000 entries

* Names dictionary: 10,000 entries

* Comprehensive dictionary: 100,000 entries

* Phonetic pattern dictionary: 1/10,000 of an exhaustive character search

The phonetic pattern dictionary is interesting. It's not really a dictionary; it's a Markov-chain routine that generates pronounceable English-language strings of a given length. For example, PRTK can generate and test a dictionary of very pronounceable six-character strings, or just-barely pronounceable seven-character strings. They're working on generation routines for other languages.

PRTK also runs a four-character-string exhaustive search. It runs the dictionaries with lowercase (the most common), initial uppercase (the second most common), all uppercase and final uppercase. It runs the dictionaries with common substitutions: "$" for "s," "@" for "a," "1" for "l" and so on. Anything that's "leet speak" is included here, like "3" for "e."

The appendage dictionaries include things like:

* All two-digit combinations

* All dates from 1900 to 2006

* All three-digit combinations

* All single symbols

* All single digit, plus single symbol

* All two-symbol combinations

AccessData's secret sauce is the order in which it runs the various root and appendage dictionary combinations. The company's research indicates that the password sweet spot is a seven- to nine-character root plus a common appendage, and that it's much more likely for someone to choose a hard-to-guess root than an uncommon appendage.

Normally, PRTK runs on a network of computers. Password guessing is a trivially distributable task, and it can easily run in the background. A large organization like the Secret Service can easily have hundreds of computers chugging away at someone's password. A company called Tableau is building a specialized FPGA hardware add-on to speed up PRTK for slow programs like PGP and WinZip: roughly a 150- to 300-times performance increase.

How good is all of this? Eric Thompson estimates that with a couple of weeks' to a month's worth of time, his software breaks 55 percent to 65 percent of all passwords. (This depends, of course, very heavily on the application.) Those results are good, but not great.

But that assumes no biographical data. Whenever it can, AccessData collects whatever personal information it can on the subject before beginning. If it can see other passwords, it can make guesses about what types of passwords the subject uses. How big a root is used? What kind of root? Does he put appendages at the end or the beginning? Does he use substitutions? ZIP codes are common appendages, so those go into the file. So do addresses, names from the address book, other passwords and any other personal information. This data ups PRTK's success rate a bit, but more importantly it reduces the time from weeks to days or even hours.

So if you want your password to be hard to guess, you should choose something not on any of the root or appendage lists. You should mix upper and lowercase in the middle of your root. You should add numbers and symbols in the middle of your root, not as common substitutions. Or drop your appendage in the middle of your root. Or use two roots with an appendage in the middle.

Even something lower down on PRTK's dictionary list -- the seven-character phonetic pattern dictionary -- together with an uncommon appendage, is not going to be guessed. Neither is a password made up of the first letters of a sentence, especially if you throw numbers and symbols in the mix. And yes, these passwords are going to be hard to remember, which is why you should use a program like the free and open-source Password Safe to store them all in. (PRTK can test only 900 Password Safe 3.0 passwords per second.)

Even so, none of this might actually matter. AccessData sells another program, Forensic Toolkit, that, among other things, scans a hard drive for every printable character string. It looks in documents, in the Registry, in e-mail, in swap files, in deleted space on the hard drive ... everywhere. And it creates a dictionary from that, and feeds it into PRTK.

And PRTK breaks more than 50 percent of passwords from this dictionary alone.

What's happening is that the Windows operating system's memory management leaves data all over the place in the normal course of operations. You'll type your password into a program, and it gets stored in memory somewhere. Windows swaps the page out to disk, and it becomes the tail end of some file. It gets moved to some far out portion of your hard drive, and there it'll sit forever. Linux and Mac OS aren't any better in this regard.

I should point out that none of this has anything to do with the encryption algorithm or the key length. A weak 40-bit algorithm doesn't make this attack easier, and a strong 256-bit algorithm doesn't make it harder. These attacks simulate the process of the user entering the password into the computer, so the size of the resultant key is never an issue.

For years, I have said that the easiest way to break a cryptographic product is almost never by breaking the algorithm, that almost invariably there is a programming error that allows you to bypass the mathematics and break the product. A similar thing is going on here. The easiest way to guess a password isn't to guess it at all, but to exploit the inherent insecurity in the underlying operating system.


So what are organizations doing about that? Here's one idea.

http://news.com.com/2100-7355_3-6149722.html?part=rss&tag=2547-1_3-0-5&subj=news

PayPal to offer password key fobs to users

Passwords generated for one-time use are designed to increase security for PayPal and its account holders.

By Joris Evers Staff Writer, CNET News.com Published: January 11, 2007, 5:55 PM PST

eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.

The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle on data-thieving phishing scams.



Is this another Sony Management error?

http://www.sgknox.com/2007/01/11/no-porn-on-blu-ray/

No Porn On Sony HD-DVD Blu-ray?

Thursday, January 11th, 2007 | 8:15 pm

Has Sony gone mad? Prominent adult movie producer Digital Playground (site) says it is forced to use HD DVD instead of Blu-ray, because Sony does not allow XXX-rated movies to be released on Blu-ray.

It does not matter how you stand to porn. It is here and it is a massive business. It is also an industry that is an early adopter for new media technology. VHS might not have won with out the adult film industry adopting it. [Yes, they are that significant! At least, they were back then. Bob]

German Heise has interviewed Joone the founder of Digital Playgrounds at the AVN 2007 show in Las Vegas. Joone says actually said last year he is committed to Blu-ray. Now they announced four HD DVD titles in the United States. In the interview Joone says he was forced to use HD DVD, because no Blu-ray disc manufacturer would make his discs, because Sony was against it and they would loose their license.

If this holds true, Blu-ray is at a major disadvantage and could fail.



Gee, those RFID chips must have greater range than we've been told...

http://yro.slashdot.org/article.pl?sid=07/01/11/2021244&from=rss

MINI Introduces RFID-Activated Billboards

Posted by kdawson on Thursday January 11, @04:30PM from the L.A.-Story-meets-Minority-Report dept. Privacy

frinkster writes "MINI USA has placed interactive billboards in 4 US cities (Chicago, Miami, New York and San Francisco) and invited a few hundred MINI owners in those cities to join their targeted 'advertisement' pilot program. The owners sign up on MINI's website and receive an RFID keyfob in the mail. When that MINI owner drives by the billboard, a targeted message appears. Each owner tells MINI what to show when they drive by, such as 'Jim, you are one sexy beast.' If the pilot program is successful, MINI plans to put up more billboards in more cities and allow every owner to participate. MINI swears that no personal information in contained in the keyfobs and that all communication between the MINI and the owner is subject to their privacy policy and thus the program is completely safe. But how well will they keep their billboard logs away from the prying eyes of law enforcement or private detectives? And what are they doing to prevent 'hackers' from changing the personal messages to insults, such as 'Jim, nice to see you finally emerge from your mother's basement'?"

MINI calls the interactive billboards "Motherboards." [Think they left out a couple of syllables? Bob]



Tools & Techniques for the serious invader of privacy?

http://news.com.com/2061-11128_3-6149531.html?part=rss&tag=2547-1_3-0-5&subj=news

Company with a camera that sees through walls gets $14 million

January 11, 2007 12:36 PM PST

Camero, a company out of Israel that has developed a camera that can "see" things through solid walls, has raised $14 million, bringing the total is has raised to $20 million.

The investment comes about four months after it showed off a prototype of the Xaver800 and began to sell systems to customers. Investors include Greylock Partners, Motorola Ventures and Walden.

The Xaver800 doesn't technically capture images directly. Instead, it issues ultrawideband signals and the data harvested is then used to create 3D models of things the signals bounced off of. The trick is that the camera can capture the signals in cluttered environments or through solid objects. Researchers at U.S. universities are working on similar projects.

The camera is only sold to military and police agencies.

Camero's work typifies the state of the growing high tech industry in Israel. While some multinationals have come out of the country, the local industry thrives mostly on scads of start-ups with relatively futuristic technologies, often associated with the military.

As a result, it's one of the places on the globe where the IPO is still a big deal. Last year, 20 Israeli companies held public offerings. More tech IPOs occurred in the U.S. but the U.S. is also bigger. Seventy six local companies got merged or acquired. The total value of mergers came to $10.6 billion, according to the Israel Venture Capital Research Center.



Don't tell the RIAA, tell your neighborhood garage band...

http://slashdot.org/article.pl?sid=07/01/11/002201&from=rss

Download Only Song to Crack the Top 40

Posted by samzenpus on Wednesday January 10, @10:03PM from the all-shook-up dept. Music The Internet

nagora writes "The BBC is reporting that next week's UK music chart may have the first sign of the end of the recording industry as we know it. From this week (7th Jan, 2006), all downloaded music sales are counted in the official UK chart, not just tracks which have had a physical media release. Now, an unsigned band called Koopa is poised to enter the top 40 without any old-world recording, distribution, or production deals. Band member Joe Murphy says "If someone comes along and gives us an offer, we'll talk to them." before continuing on to add the words the recording industry has been having nightmares about since the introduction of the mp3 format: "If we can get enough exposure and get in the top 40 by the end of the week, do we necessarily need a large label? Probably nowadays, no you don't." Is this finally the crack in the dam we've all been waiting for to wash away the entrenched monopolies of 20th century music production? Or just a sell-out waiting to happen?"


While we're on the subject of the RIAA...

http://techdirt.com/articles/20070110/004225.shtml

History Repeats Itself: How The RIAA Is Like 17th Century French Button-Makers

from the no,-seriously... dept

As regular readers know, I've been working through a series of posts on how economics works when scarcity is removed from some areas. I took a bit of a break over the holidays to catch up on some reading, and to do some further thinking on the subject (along with some interesting discussions with people about the topic). One of the books I picked up was one that I haven't read in well over a decade, but often recommend to others to read if they're interested in learning more about economics, but have no training at all in the subject. It's Robert L. Heilbroner's The Worldly Philosophers. Beyond giving readers a general overview of a variety of different economic theories, the book actually makes them all sound really interesting. It's a good book not necessarily because of the nitty gritty of economics (which it doesn't cover), but because it makes economics interesting, and gives people a good basis to then dig into actual economic theory and not find it boring and meaningless, but see it as a way to better understand what these "philosophers" were discussing.

Reading through an early chapter, though, it struck me how eerily a specific story Heilbroner told about France in 1666 matches up with what's happening today with the way the recording industry has reacted to innovations that have challenged their business models. Just two paragraphs highlight a couple of situations with striking similarities to the world today:

"The question has come up whether a guild master of the weaving industry should be allowed to try an innovation in his product. The verdict: 'If a cloth weaver intends to process a piece according to his own invention, he must not set it on the loom, but should obtain permission from the judges of the town to employ the number and length of threads that he desires, after the question has been considered by four of the oldest merchants and four of the oldest weavers of the guild.' One can imagine how many suggestions for change were tolerated.

Shortly after the matter of cloth weaving has been disposed of, the button makers guild raises a cry of outrage; the tailors are beginning to make buttons out of cloth, an unheard-of thing. The government, indignant that an innovation should threaten a settled industry, imposes a fine on the cloth-button makers. But the wardens of the button guild are not yet satisfied. They demand the right to search people's homes and wardrobes and fine and even arrest them on the streets if they are seen wearing these subversive goods."

Requiring permission to innovate? Feeling entitled to search others' property? Getting the power to act like law enforcement in order to fine or arrest those who are taking part in activities that challenge your business model? Don't these all sound quite familiar? Centuries from now (hopefully much, much sooner), the actions of the RIAA, MPAA and others that match those of the weavers and button-makers of 17th century France will seem just as ridiculous.



Oh wait, we didn't mean that either...”

http://linux.slashdot.org/article.pl?sid=07/01/11/1434224&from=rss

SCO Files To Amend Claims To IBM Case, Again

Posted by kdawson on Thursday January 11, @09:48AM from the give-it-up dept. Caldera Linux

UnknowingFool writes "SCO filed a motion to allow it to change its claims against IBM. Again. A brief recap: In December 2005, SCO was supposed to finally list all claims against IBM. This was the Final Disclosure. In May 2006, SCO filed its experts reports to the court which discussed subjects beyond those in the Final Disclosure. Naturally, IBM objected and wanted to remove certain allegations. Judge Wells ruled from the bench and granted IBM's motion: SCO's experts cannot discuss subjects that were not in the Final Disclosure. Now, SCO wants to amend the December 2005 Final Disclosure to include other allegations."



This is also a good way to carry your hacking tools... Er... So I've been told. (Naturally this crashed the site...)

http://digg.com/software/Carry_a_PC_Repair_System_on_a_USB_Drive

Carry a PC Repair System on a USB Drive

The Daily Cup of Tech computer help site put together a USB-drive based collection of software that'll help you resuscitate any ailing PC. All wrapped up into one convenient, 14.2MB zip file, the USB PC Repair System contains 37 fix-it utilities (via Lifehacker)

http://www.dailycupoftech.com/Downloads/PCRepairSystem.zip

Thursday, January 11, 2007

Isn't the answer obvious? (If you think it is, ask your security manager what he is doing to mitigate the threat...) Gary Alexander sent this great summary. Think of it as a New Year resolution!

http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1168336934590

Are Mobile Devices Portable Security Threats?

Julie Machal-Falks & Robert Scott Law Technology News January 10, 2007

Think a data security breach is unlikely to hit your firm? Think again. One of the greatest risks facing organizations today is the proliferation of portable devices -- laptops, PDAs, USB jump drives -- that often contain personal customer or employee data.

In fact, a recent survey of 500 corporate IT departments, conducted by the Ponemon Institute, found that 81 percent of respondents had experienced a lost or stolen laptop or portable storage device. And, says the institute, about 60 percent of PDAs and laptops contain unprotected sensitive or confidential information.

These data losses can be very costly. Let's look at some recent reports:

A 2006 survey from Symantec Corp. found that the average laptop contains data worth approximately $972,000. [I find that hard to believe... Bob]

Another 2006 survey, produced by the Federal Bureau of Investigation, estimated the average annual cost of computer security incidents at $67.2 billion.

An earlier 2005 survey, from PGP Corp., reported that lost confidential customer information typically costs companies $14 million.

NOT JUST MONEY

But costs of lost or stolen data are not just monetary. They often include loss to business reputation and customer goodwill.

For example, PGP found that when companies notify customers that their data has been compromised, 19 percent terminate the relationship, 40 percent consider terminating the relationship and 27 percent of respondents express concern about the relationship.

Indeed, half of recovery costs after a data breach are attributable to loss of existing customers.

So what can you do to protect your firm?

You may be surprised, but protecting your data often involves some very simple, common-sense steps: [AMEN! Bob]

Encryption: To protect sensitive information and reduce the need to report security breaches, be sure your users routinely encrypt all names, addresses, account numbers and other personal information.

Passwords: Always protect information stored on the laptop with a secure password [Oxymoron alert! Bob]. To maximize safety, passwords should include a combination of numbers and upper- and lowercase letters.

Remote security tools: Be sure that everyone in your organization is using remote security tools that help your firm find and deactivate drives in the event a portable device is lost or stolen. Among the products available are MyLaptopGPS, by AIT Solutions and Inspice Trace and Inspice SmartProtec from Inspice.

Backup, backup, backup: It goes without saying that it's absolutely essential to do backups. Be sure that all important data contained on the laptop is backed up. Establish and enforce protocols.

Hardware: In addition to software security, use traditional hardware measures -- such as locks and cables. These security devices make theft more difficult and thereby discourage thieves from taking your machine.

Hide your device: Never leave a device on your desk or any other open, visible place. When leaving a laptop in your office, make sure it is hidden and secured.

Be inconspicuous: Always keep your laptop in an inconspicuous case. Flashy cases will expose your computer by attracting thieves' attention.

A simple, padded messenger bag can suffice as a protective container.

INSURANCE COVERAGE

Your organization may want to consider some of the new policies offered by insurance providers that are specifically designed to assist with data breaches. These may help you defray the costs associated with investigating a breach to determine whether state laws require notification, as well as help pay for the costs associated with breach notification requirements.

The new policies often include coverage for the following claims:

Failure of network security; [Note: Failure is not the same as non-existent... Bob]

Wrongful disclosure of private or confidential information;

Failure to protect confidential or private information;

Violations of federal, state or local privacy statutes.

Some corporate identity theft insurance policies also assist with the costs associated with defraying damage to the firm's reputation. Some also provide crisis management coverage and reimbursement for public relations expenses.

The coverage also may provide a defense in the event that a security breach results in a regulatory investigation or a civil lawsuit. For example, AIG's Corporate Identity Protection offers a product that covers administrative expenses resulting from a breach of personal information.

Like a traditional commercial policy, some security breach policies contain provisions that the insurance company will be required to pay for an attorney to defend the company in the event it experiences a data security breach.

Finally, look for policies that cover the costs associated with post-event services, like credit monitoring and identity theft education to the individuals affected by the security breach.



Not much information yet...

http://www.wric.com/Global/story.asp?S=5924191

Philip Morris ID Theft Alert

Jan 11, 2007 06:23 AM FROM 8NEWS

Thousands of local Philip Morris workers could be at risk of identity theft.

Philip Morris is warning thousands of local workers their personal information may have been accessed. The company began alerting employees this week that laptop computers have been stolen that included names, salaries and social security numbers of employees.

These laptops were taken from the offices of a New York City consulting firm that handles benefit programs for Philip Morris.



It's good to know that things are still moving along on this case..

http://www.chron.com/disp/story.mpl/ap/fn/4462410.html

Investigator Charged in HP Probe

By JORDAN ROBERTSON AP Business Writer Jan. 10, 2007, 10:28PM

SAN FRANCISCO — A private investigator accused of posing as a journalist to access the reporter's private phone records as part of the boardroom spying scandal at Hewlett-Packard Co. was charged Wednesday with federal identity theft and conspiracy charges, prosecutors said.

Bryan Wagner is accused of using the Social Security number of the unidentified journalist to illegally gain access to the phone logs, according to the criminal charges filed in San Jose federal court by U.S. Attorney Kevin V. Ryan's office.

Wagner is also accused of conspiring to illegally obtain and transmit personal information on HP directors, journalists and employees as part of the computer and printer maker's crusade to ferret out the source of boardroom leaks to the media.

... The federal charges accuse Wagner of obtaining a reporter's Social Security number from other unidentified coconspirators, using that information to set up an online account with the telephone company in the reporter's name and accessing the detailed phone logs.

Wagner, of Littleton, Colo., faces up to five years in prison if he's convicted on the conspiracy charge, and a mandatory minimum of two years in prison if convicted of identity theft.

... The way Wagner was charged _ he agreed to waive grand jury proceedings _ suggests he's likely cooperating with investigators aiming for more high-profile targets, said Matthew Jacobs, a former federal prosecutor in San Francisco who is now in private practice.



Wow! How very 1950's cold war-ish...

http://www.cbc.ca/technology/story/2007/01/10/rfid-defence.html

Canadian coins bugged, U.S. security agency says

Last Updated: Wednesday, January 10, 2007 | 8:52 AM ET The Canadian Press

They say money talks, and a new report suggests Canadian currency is indeed chatting, at least electronically, on behalf of shadowy spies.

Canadian coins containing tiny transmitters have mysteriously turned up in the pockets of at least three American contractors who visited Canada, says a branch of the U.S. Department of Defence.

Security experts believe the miniature devices could be used to track the movements of defence industry personnel dealing in sensitive military technology.

"You might want to know where the individual is going, what meetings the individual might be having and, above all, with whom," said David Harris, a former CSIS officer who consults on security matters.

"The more covert or clandestine the activity in which somebody might be involved, the more significant this kind of information could be."

The counter-intelligence office of the U.S. Defence Security Service cites the currency caper as an example of the methods international spies have recently tried to illicitly acquire military technology.

Nearly 1,000 'suspicious' contacts

The service's report, Technology Collection Trends in the U.S. Defence Industry, says foreign-hosted conventions, seminars and exhibits are popular venues for pilfering secrets.

The report is based on an analysis of 971 "suspicious contact reports" submitted in fiscal 2005 by security-cleared defence contractors and various official personnel.

"On at least three separate occasions between October 2005 and January 2006, cleared defence contractors' employees travelling through Canada have discovered radio frequency transmitters embedded in Canadian coins placed on their persons," the report says.

... Harris speculates recent leaps in miniaturization could allow for a sophisticated transmitter capable of monitoring a target's extensive travels.

"I think we can be pretty darn confident that the technology is there for the sorts of micro-units that would be required to embed these things in a coin," he said.

"It's a brave new world, and greatly concerning on so many levels."

... "It is important to recognize copiers and shredders can contain built-in scanners to copy the data."

Other common methods include placing listening devices in rooms, searching hotel rooms, inspecting electronic equipment and eavesdropping on conversations.

The report, which first came to light in a U.S. newspaper, has since been posted on the website of the Federation of American Scientists, [ http://www.fas.org/main/home.jsp ] an organization that tracks the intelligence world and promotes government openness.



Someone gets it?

http://www.crgazette.com/2007/01/10/Home/judiciary.htm

Chief Justice: E-filing raises security issues

Published: 01/10/2007 09:56 AM By: Rod Boshart - The Gazette

DES MOINES, IA - The head of Iowa's judicial system says the rapid changeover to an electronic court filing system utilizing the Internet may require the Legislature to re-examine privacy laws governing access to information contained in public records.

Marsha Ternus, delivering her first Condition of the Judiciary address today as chief justice of the Iowa Supreme Court, said the switch from a paper-based court system to new e-filing convenience has brought heightened concerns for information security and personal privacy.

"Individuals involved in court proceedings will be more vulnerable to identity theft and prying eyes," she told a joint convention of the Iowa General Assembly.

Ternus said the Iowa court system is slated to conduct two test projects for electronic filing later this year with plans to convert to a statewide e-filing system in five years. She suggested the switch may require special court rules and legislative changes to Iowa's public records statute to balance access and privacy issues.

... Currently, considerable information of a personal nature - such as birth dates, addresses, children's names, and financial account information - is part of the public record but not easily accessible without going to a courthouse and digging through records, she noted. That will change with instantaneous electronic access "24/7" from remote locations anywhere in the world via online court records.



Is there an American version of this report?

http://www.p2pnet.net/story/10966

Canadian 'privacy breach' notification

p2pnet.net News:- Of an estimated 49 million Americans notified of unauthorized access to their personal information during the past three years, about 9.3 million believe something bad happened to them as a result of the breach, said a recent Harris Interactive poll.

... Approaches to Security Breach Notification, a CIPPC white paper released today, reviews breach notification laws enacted by over thirty American states so far, and argues that the federal government should have similar protections in place for Canadians.



My barber greets me by asking for my phone number... Whatever happened to “Hi, Bob!”

http://www.computerworld.com/blogs/node/4323

Food services don't need my ID to serve me

By Martin McKeay on Wed, 01/10/2007 - 10:31am

This is a disturbing trend I've been hearing more and more lately: bars and restaurants are asking for ID's and/or storing your ID information in their database before they'll serve you. This is a trend that has to be nipped in the bud before smart criminals start taking advantage of this well intentioned but misguided attempt at safeguarding food service profits. The potential for abuse, either by simply stealing ID's or the databases containing the recorded data is too tempting to remain unexploited for long.

The first I heard of this practice was an IHOP in Massachusetts that was taking diner's ID's before they could be seated. It seems the restaurant had recently had a rash of dine-and-dash types running out before they paid for the meal they'd just eaten. For the manager of the IHOP, it made perfect sense to ask for ID, since the perceived risk to IHOP was minimal and it directly addressed the problem of finding the people who ran off without paying their bills. What he didn't take into account is the possible loss to the company if even one of those ID's that he'd take was used to steal an identity; Massachusetts ID's have Social Security Numbers on them

... Last week a friend and fellow security expert was down in the Florida Keys where a restaurant refused to put his family on the wait list unless they were willing to leave a military ID, drivers license or credit card. I'm not sure what risk the restaurant thought they were addressing here, since it cost them next to nothing to put a name on the wait list. What really concerns me is that this area apparently has a large community of active duty military personnel and was asking for military ID's; in a time where 'national security' is a bugaboo that every politician is using to scare the populace, did anyone think that asking military personnel to turn over their ID's might be a breach of security? If I wanted to get on a military base and knew that a local restaurant was taking ID's, it'd be a fairly simple task to get a job there and make copies of ID's as they came by or wait for someone to accidentally leave their ID behind. This case really makes no sense to me because the potential downside to taking the ID's is immense and does not appear to address any risk to the business, other than the 30 seconds lost when the hostess has to call out a name and then cross it off the list.

Finally, another security expert was out bar hopping after a college football game and was asked to present ID before being allowed into a bar. So far so good, except the bouncer at the bar was scanning the magnetic stripe information from the drivers licenses and storing the name, birth date and drivers license number. To add insult to injury, the bouncer was apparently so intent on his scanning process that he wasn't actually checking the faces on the ID's against the person holding them.



http://sunbeltblog.blogspot.com/2007/01/is-this-miscarriage-of-justice.html

Wednesday, January 10, 2007

Is this a miscarriage of justice?

A substitute school teacher in Connecticut has been found guilty of exposing children to porn.

She could face up to 40 years in prison.

However, there are some interesting aspects to this case:

  • The defense contends this was a case of spyware on the school machine — a barrage of popups.

  • The school did have content filtering but the license was expired.

  • According to another article, “Computer expert W. Herbert Horner, who performed a forensic examination of the computer for the defense, said Amero may have been redirected to the sexually-oriented sites through a hairstyling site accessed from the computer. He said the site allowed spyware to be downloaded onto the computer which allowed the pop-ups.”

  • And, according to one source, the Trial Judge, Hillary Strackbein, “was seen falling asleep during proceedings and made comments to the jury that she wanted the case over by the end of the week. It was also reported that Judge Strackbein attempted to pressure the defense into an unwanted plea deal, in place of a trial. The defense attorney for Amero, moved for a mistrial shortly before closing arguments Friday, based on reports that jurors had discussed the case at a local restaurant.”

Was justice done here? That’s not entirely clear. A bad spyware infestation can splatter a machine full of porn popups and it’s a bit unnerving to think that a teacher could get hard prison time for something that might have been completely innocent.



If you copy, copy from the very best...

http://www.bespacific.com/mt/archives/013549.html

January 10, 2007

Top 10 Court Web Site Awards Announced for 2006

The Justice Served 2006 Top 10 Court Website Award winners. Among the winners is the Connecticut Judicial Branch Law Libraries.

Wednesday, January 10, 2007

Somehow, this doesn't give me that warm fuzzy feeling...

http://www.theinquirer.net/default.aspx?article=36814

Government spooks helped Microsoft build Vista

Helping a Vole out of a hole

By Nick Farrell: Tuesday 09 January 2007, 14:26

THE USA GOVERNMENT'S cryptologic organisation, the National Security Agency, has admitted that it is behind some of the security changes to Microsoft's operating system Vista.

According to the Washington Post, the agency which was once so secret that it was jokingly referred to as 'No such Agency' has admitted making 'unspecified contributions' to Vista.

Tony Sager, the NSA's chief of vulnerability analysis and operations group, told the Post that it was the agency's intention to help everyone these days.

The NSA used a red and a blue team to pull apart the software. The red team posed as "the determined, technically competent adversary" to disrupt, corrupt or steal information. The Blue team helped Defense Department system administrators with Vista's configuration.

Vole said that it has sought help from the NSA over the last four years. Apparently its skills can be seen in the Windows XP consumer version and the Windows Server 2003 for corporate customers.

The assistance is at the US taxpayers' expense, although the NSA says it all makes perfect sense. Not only is the NSA protecting United States business, its own Defense Department uses VoleWare so it is in the government's interest to make sure it is as secure as possible.

Microsoft is not the only one to tap the spooks. Apple, with its Mac OSX operating system, and Novell with its SUSE Linux also asked the NSA what it thought of their products. The NSA is quite good at finding weapons of mass destruction that are not there.



Perhaps this is too technical for Homeland Security?

http://today.reuters.com/news/articlenews.aspx?type=internetNews&storyID=2007-01-09T082356Z_01_L09913020_RTRUKOC_0_US-BRITAIN-SECURITY-EMAILS.xml

Britain's MI5 spy agency to send terror alert emails

Tue Jan 9, 2007 3:24 AM ET

LONDON (Reuters) - Britain's domestic spy agency MI5 launched a new email alert service on Tuesday to warn the public about changes in the security threat level.

Internet users will be able to register on the MI5 Web site to receive automatic electronic updates in their email inboxes.

The email alerts are the latest in a series of moves by MI5 and its partner, the international spy agency MI6, to open up to the public after decades of guarding extreme secrecy.

"It's part of the service's ongoing effort to improve its public communications and contribute to the government's policy of keeping the public informed about the national threat level," a spokeswoman for the home office said.

In recent years both MI5 and MI6 have begun to emerge from the shadows, launching Web sites offering security advice and information about careers in the spy services, and even running recruitment advertisements in newspapers.

The spokeswoman said the email alert service would inform people of threat level ratings which the government has been making public since last August.

The current rating is "severe", the second-highest level -- indicating the government believes an attack is highly likely.

The head of MI5, Eliza Manningham-Buller, said last November that there were at least 30 active Islamist militant plots in Britain and the threats could involve chemical or nuclear devices.

As well as signing up for threat updates, Internet users will also be able to register for email alerts on any other new information posted on the MI5 Web site.



This is a common marketing technique, but at the low end of parental “comfort factor”

http://www.newsday.com/news/printedition/longisland/ny-lisuit105046407jan10,0,2829709.story?coll=ny-linews-print

Pentagon, students settle privacy case

BY GRAHAM RAYMAN Newsday Staff Writer January 10, 2007

The Pentagon has agreed to new limits on the use of student information contained in a massive database used for military recruiting.

The rule changes, reported in the Federal Register yesterday, settle a lawsuit by the New York Civil Liberties Union on behalf of five high school students who said the database violated their privacy rights.

... The database, known as JAMRS for Joint Advertising and Market Research Studies, contains some 40 million names culled from various sources, including lists purchased from marketing firms.

DOD agreed not to disclose student information to law enforcement or credit agencies, to keep personal information for three years instead of five, and to stop collecting student Social Security numbers.

The rules also clarify procedures allowing students to block the military from including their information in the database.

... Yesterday's settlement does not prevent the Pentagon from collecting information on the race and ethnicity of students, which has drawn criticism from the civil liberties organization as well.

"I think it's unfair for the military to use a person's ethnicity as a means to get a person to join the army," said Healey, a volunteer at NYCLU who plans to attend Wesleyan University in the fall.

To keep their names out of the database, students must send a letter to the JAMRS offices, 4040 N. Fairfax Dr., Ste. 200, Arlington, VA 22203.



Who should control (own?) your information?

http://www.pogowasright.org/article.php?story=20070110072923367

Kaine: a Do-Not-Sell List would protect our privacy

Wednesday, January 10 2007 @ 07:29 AM CST - Contributed by: PrivacyNews - State/Local Govt.

Much as the federal "do not call" list is intended to block pesky telemarketers, Gov. Timothy M. Kaine wants a similar registry to help people protect their personal information. Kaine said Tuesday that he is forming a study group to figure out how to create a state Do Not Sell list that would prohibit credit card companies and other financial institutions from selling personal information about people who sign up for the registry.

http://content.hamptonroads.com/story.cfm?story=117332&ran=92080



If they are that dumb, perhaps they should be eliminated from the gene pool?

http://www.pogowasright.org/article.php?story=20070110072809971

Lawyers' association criticizes scrutiny of credit card transactions

Wednesday, January 10 2007 @ 07:28 AM CST - Contributed by: PrivacyNews - Non-U.S. News

The German Bar Association (DAV) has voiced grave doubts about the scrutiny of credit card data that the prosecuting authorities had initiated in the course of an enforcement operation aimed at the Internet-based child pornography scene; an approach that has allowed the authorities to score a spectacular success in their fight against child pornography.

http://www.heise.de/english/newsticker/news/83488

[From the article: In the opinion of data privacy watchdogs this investigative approach by and large provides no grounds for legal objections. Banks are in the opinion of the Data Protection Commissioner of the federal state of Schleswig-Holstein entitled, under certain conditions, to make available to the prosecuting authorities credit card information relating to suspects. The investigators too have been at pains to point out that the measures in question did not amount to a profiling-based data trawling operation. "The means applied here boil down to a classical method of criminal investigation, to which no legal objections can be raised," Thilo Weichert, the Data Protection Commissioner of the federal state of Schleswig-Holstein and head of the Independent State Center for Data Protection of Schleswig-Holstein (ULD) remarked.



Different cultures, different rules. Think it never happens in the US? See the next article...

http://techdirt.com/articles/20070109/191918.shtml

Japanese Defense Agency Finally Decides That Staff Shouldn't Keep Nuclear Secrets On Personal Laptops In Shared Folders

from the took-'em-long-enough dept

You may recall a year and a half ago that some Japanese nuclear secrets were revealed to the world thanks to an IT contractor putting files on a personal computer that happened to have the popular Japanese file sharing app, Winny, installed. You would think that Japan would crack down on these sorts of practices, making sure that staff not be allowed to put sensitive files on personal computers or to install file sharing apps on government computers. However, instead, they just came out and publicly begged people not to use file sharing programs and to simply delete inappropriate info they might have downloaded. However, it appears that hasn't worked very well. The Japanese Defense Agency is admitting they know of at least at least 27 cases of sensitive information being exposed via Winny in the last few years -- starting not with the nuclear secrets in 2005, but fiscal data in 2002. Yes, for over four years they've known about the issue, and just now they've decided that maybe it would be a good idea to buy separate computers for Defense Agency staff, so that they don't feel the need to put confidential Agency data on their home computers. It took them this long to figure this out? Of course, the government was much faster in going after the creator of Winny and finding him guilty of helping copyright violations. Perhaps they would have been better off focusing on not revealing state secrets, rather than charging a software programmer for building a useful tool that has been misused by government employees.


http://www.pogowasright.org/article.php?story=20070110073019446

More Federal Agencies Report Missing Laptops

Wednesday, January 10 2007 @ 07:30 AM CST - Contributed by: PrivacyNews - Fed. Govt.

WASHINGTON - Over the past five years, the United States Department of Defense has reported 60 laptop computers missing or stolen from their inventory.

According to documents obtained by WTOP through a Freedom of Information Act request, the DOD is not alone. Many of other federal agencies have reported similar or even higher numbers:

National Oceanic and Atmospheric Administration: 319

Department of Interior: 240

Environmental Protection Agency: 60

Department of Labor: 57

National Institute of Standards and Technology: 35

International Trade Administration: 30

Department of Housing and Urban Development: 15

U.S. Patent and Trademark: 9

http://www.wtopnews.com/index.php?nid=428&sid=1028375



No doubt the higher the amount required the greater your “bragging rights” Would kidnapping insurance cover this?

http://www.foxnews.com/story/0,2933,242609,00.html

FBI Investigating 'Hit Man' E-Mail Scheme

Tuesday , January 09, 2007

PITTSBURGH — Dentists, doctors, lawyers and other professionals in the Pittsburgh area have been targeted by a "hit man" e-mail scheme, receiving messages that tell them to pay up to keep their lives, the FBI said.

The e-mail, which was sent to most recipients around Christmas, tells the reader that there is a contract out on his life, generally for $50,000. It says that if the recipient sends the "hit man" more money than that — generally ranging from $80,000 to $150,000 — the hit man will leave him alone.

No one has reportedly lost money or been harmed in the scam, but some recipients were unnerved by the messages, said Special Agent Bill Shore, who supervises the computer crime squad in the Pittsburgh FBI office.

"You think, 'What did I get into? What do I gotta do to get out of this?"' Shore said.

The FBI became aware of the scam when people in Atlanta and New Orleans received similar e-mail in early December, Shore said. The scheme seems to have originated in Russia.



Jonathan has gone rather “gloom & doom” hasn't he?

http://www.wired.com/wired/archive/15.01/start.html?pg=15

End-Time for the Internet

Spam, spyware, and viruses can already get in the way of good, clean computing fun. But what happens when malicious code becomes apocalyptic? According to Jonathan Zittrain, professor of Internet governance and regulation at Oxford University, these software saboteurs will drive smart users to dumber appliances like BlackBerrys, iPods, and Xboxes. In his upcoming book, Zittrain writes that the migration to closed systems will end innovation on the Internet. We asked the veteran info-freedom fighter why he’s wearing such gloom-colored glasses.

WIRED: Your scenario is classic – in a backlash against the baddies, we give up our own freedom.

ZITTRAIN: My worry is that users will drift into gated communities defined by their hardware or their network. They’ll switch to information appliances that are great at what they do [email, music, games] because they’re so tightly controlled by their makers.

Things would have to get pretty damn bad to make us abandon our PCs.

It’s plausible they will. It could happen through a watershed moment: A virus infects 50 percent of a corporate network and erases hard drives.

Why hasn’t that happened already?

Great question – analogous to asking why there haven’t been low-level, high-impact acts of terrorism in theaters and shopping malls. The answer is not that security prevents it.

We’re not going to un-network the world.

The problem is, we’re moving to software-as-service, which can be yanked or transformed at any moment. The ability of your PC to run independent code is an important safety valve.

You really think the sky could be falling?

Yes. Though by the time it falls, it may seem perfectly normal. It’s entirely possible that the past 25 years will seem like an extended version of the infatuation we once had with CB radio, when we thought that it was the great new power to the people.



http://www.bespacific.com/mt/archives/013524.html

January 09, 2007

The 2007 Statistical Abstract Available on Web

"The Statistical Abstract of the United States, published since 1878, is the authoritative and comprehensive summary of statistics on the social, political, and economic organization of the United States." [The 2007 Statistical Abstract]



Could this be a useful research tool?

http://www.bespacific.com/mt/archives/013532.html

January 09, 2007

Project for Excellence in Journalism Launches News Coverage Index

"The Project for Excellence in Journalism (PEJ) News Coverage Index, which will be released every Tuesday, is an ongoing study of the news agenda of a wide swath of the American press, measuring the topics covered in 48 different outlets from five sectors of the American media. (See a List of Outlets.) The Index is an attempt to provide an at what the media are and aren't covering, the trajectories of major stories and differences among news platforms. We believe it is the largest continuing study of the mempirical lookedia agenda ever attempted."

  • See also the Tyndall Report, that "monitors the American television network's weekday nightly newscasts."



Perhaps a few useful ideas may bounce off congress...

http://www.bespacific.com/mt/archives/013536.html

January 09, 2007

Senate Judiciary Committee Hearing on Balancing Privacy and Security

Senate Judiciary Committee hearing, January 10, 2007 - "Balancing Privacy and Security: The Privacy Implications of Government Data Mining Programs."



Is the assumption that a great deal of attention now is better than a little attention over the next few months/years? Is the “Striesand Effect” even considered? Who gets consulted before these decisions are made?

http://techdirt.com/articles/20070108/200759.shtml

Eli Lilly Doesn't Want Incriminating Documents Linked From A Wiki

from the you-do-understand-how-the-internet-works,-right? dept

In the latest case involving a big company trying to shut someone up (thereby only drawing that much more attention to it), Eli Lilly apparently was upset that someone had leaked documents suggesting that the pharmaceutical company had downplayed the side effects of its best selling drug, Zyprexa. The company has apparently gone on to pay out over a billion dollars in settlements concerning the drug, but one thing they apparently can't stand is anyone linking to the incriminating documents. Some people got together and put together a wiki that linked to some of the leaked documents, and a court ordered that the links be taken off the wiki. The EFF is defending the still anonymous wiki posters, pointing out that this appears to be a First Amendment violation. The people who put together the wiki were not a part of the lawsuit, and simply were pointing to the documents -- which should leave them outside the jurisdiction of the court. Of course, as has been pointed out over and over again, all this is really doing is getting additional publicity to the fact that these documents existed. So, it seems like any effort to get them completely banned has done the opposite of what Eli Lilly intended.


Ah, Judges can be educated!

http://techdirt.com/articles/20070109/102400.shtml

Brazilian Judge Taught Just A Little About The Internet; Lifts YouTube Ban

from the shouldn't-he-have-done-that-first? dept

It's become quite common for judges who don't quite understand technology to make bad rulings in technology-related cases. Smart judges at least make an effort to actually understand the technology, but you would think they should do so before ordering things to be shut down. Last week, we told you about a Brazilian judge ordering YouTube offline because some people had seen a video on the site of a well-known Brazilian model having sex on the beach. Even though YouTube had removed the video, others had put it back, and so the judge demanded that YouTube be taken down. Barring that, he suggested that ISPs step up and block YouTube, which apparently a few of them have done. However, at some point, the judge apparently got a slightly better understanding of how the internet worked, and has now lifted the original order, while demanding an explanation for why these ISPs can't just block the video, but leave access to the rest of YouTube. So, apparently, it's now clear that banning all of YouTube over one video is inappropriate, but the lessons haven't reached the point where the judge understands that banning anything online, or expecting an ISP to be able to block just a certain video is impossible.



I'll probably add articles like this to my “Intro to Computers” and my “Business Planning” classes...

http://www.netbusinessblog.com/2007/01/09/building-a-niche-minisite/

Building a Niche Minisite (Part 1)

Posted on January 9, 2007 by: Matt | Minisites |

One of the easiest ways to make money online today is by creating “niche minisites.” The internet is huge, and it’s growing bigger everyday. You can always make a site that attempts to compete in large content areas, and you can succeed if you put enough time, effort, and money into it. What if you don’t have a lot of time? What if you don’t have much startup money? What if you’re lazy (even too lazy to start a Myspace turnkey)? Well then maybe you should give niche minisites a shot.