Saturday, January 27, 2007

Probably not targeted identity theft...

http://www.wsls.com/servlet/Satellite?pagename=WSLS%2FMGArticle%2FSLS_BasicArticle&c=MGArticle&cid=1149192869390&path=!news!localnews

Anthem Blue Cross Blue Shield customer information stolen

WSLS NewsChannel 10 Friday, January 26, 2007

Anthem Blue Cross Blue Shield says information for about 50,000 of its Virginia customers was stolen.

That information includes social security numbers and names.

Anthem says the information was on cassette tapes, being stored in a lock box, at one of its vendors.

The company doesn't think whoever took that lock box knew what was inside, or was after the information.



Another “We have no clue” story

http://www.dailypilot.com/articles/2007/01/26/front/doc45ba618886459435458713.txt

Computers stolen from college financial aid office

Thousands of Vanguard University students are at risk for identity theft and fraud.

By Michael Alexander

Two computers stolen from Vanguard University earlier this month have put more than 5,000 financial aid applicants at risk for identity theft, authorities said today.

On Jan. 16, school employees discovered someone had taken the computers from the school’s financial aid office over the Martin Luther King weekend. Initially university officials had no idea the computers contained sensitive data, [Didn't the Financial Aid bit give you a clue? Bob said Ed Westbrook, the school’s vice president of student affairs.

At first we thought it was just computer theft,” he said. “But when we had the IT [information technology] people there trying to get logged in and determine what was lost, they said we had a problem.”

University officials did not believe the computers kept financial aid data on their hard drives, [Against school policy? Bob] Westbrook said. But last Friday they learned apparently the machines stored that information, including social security numbers, dates of birth, phone numbers, driver’s license numbers and lists of assets.

When it was passing through that computer it remained on that computer even though we couldn’t see [Huh? Bob] it on the hard drive,” he said. “If they’re sophisticated they might be able to hack into this thing.”



Listen to what you are saying, people...

http://www.fortwayne.com/mld/newssentinel/16554895.htm

INDOT employee info posted on internal computer drive

MIKE SMITH Associated Press

INDIANAPOLIS - The names and Social Security numbers of about 4,000 employees of the Indiana Department of Transportation were inadvertently posted on an internal network computer drive, the agency said Friday.

In a letter sent to the workers Friday, INDOT Commissioner Karl Browning said the file was available to any employee with computer access and could have been viewed by a limited number of third-party contractors with access to the drive. The file was posted on the drive sometime between Sept. 6 and Dec. 4 last year. [“We don't keep no stinking audit trails...” Bob]

"The file was removed from all computer systems and our Information Technology staff is performing an extensive search of all other hard drives for any lists containing this type of information," [The only way they can tell? Bob] Browning said in the letter.

The letter asked employees to contact an agency official if they knew of electronic or print files containing personal information that was not secured.

... INDOT spokesman Andy Dietrick said the agency learned of the problem from an employee who was using the computer system.

... "Please be assured that all appropriate steps are being taken [I don't think we would agree on the definition of “appropriate.” Bob] to prevent any further security lapses involving your personal information," he said.



Are they just hinting at big trouble? Why no details?

http://www.680news.com/news/local/article.jsp?content=20070126_075904_4236

Another possible security breach in Canada's retail sector

Friday, January 26, 2007 - 07:59 AM By: Jennifer MacDonald and Mike Eppel

Toronto - The popular clothing retailer, Club Monaco, has brought in the RCMP to investigate a possible security breach involving customers' credit cards.

The security issue pertains to the retailer's 28 stores across Canada.

This comes just a week after the parent company of Winners and Homesense, revealed its system was hacked into.

According to the Globe and Mail, Club Monaco says it was alerted to the problem by a credit card processor late last year, and a forensic accounting firm was brought in to help the RCMP with their investigation.

The Globe and Mail reports that banks and other card issuers have been notified of the problem, and have been going through their client records for any signs of fraud.

A spokeswoman for the company says investigators have so far found no evidence to suggest a breach occurred, and the data under investigation does not include the personal information of customers.

Club Monaco, now owned by Polo Ralph Lauren, was spearheaded by Canadian designer, Joe Mimram, who sold the stores in 1999.

It currently has 67 stores across North America.



These quotes intrigue me...

http://www.canada.com/nationalpost/story.html?id=35e332e2-c9f2-4321-836c-be2dbb804370

Banks find no fraud from hackers

Emily Mathieu Financial Post, with files Friday, January 26, 2007

Four out of five of the major Canadian banks have said there's not a single confirmed case of fraud reported from customers of Winners and Home Sense stores after hackers broke into computers belonging to the parent U.S.- based discount chain company.

... VISA Canada spokesperson Tania Freedman said it's too early to connect any reports of fraud with TJX, the parent company of Home Sense and Winners. Master Card was unavailable for comment.

"It's really difficult to link fraud back to a specific breach," she said.

TJX, based in Framingham, Mass., reported last week the sales and credit information of millions of customers was accessed through, and in some cases removed from, company databases. [First I've heard that... Makes me wonder if they could detect changes to their database? Would they be required to report changes or deletions? Bob]

... On Wednesday, the Massachusetts Bankers Association, which represents 205 commercial savings and loans institutions in Massachusetts and New England, said U.S. customer information from TJX stores is being used fraudulently in Hong Kong, Sweden, Florida, Georgia and Louisiana. Spokesperson Bruce Spitzer said only a "handful" of U.S. cards have been used for fraud, but that number is likely to rise.


Ditto

http://www.boston.com/news/local/rhode_island/articles/2007/01/26/nh_credit_and_debit_card_data_stolen_in_tjx_hacking/

N.H. credit and debit card data stolen in TJX hacking

January 26, 2007

... Meanwhile, bankers in New Hampshire are considering going to court over the breach, which was reported last week by TJX, the owner of T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the United States, as well as chains in Canada and England.

Jerry Little, president of the New Hampshire Bankers Association, said he estimates as many as 20 to 30 percent of people in New England could have had data stolen and that he and other banking industry leaders in the region are considering legal action.

"Our big question is, why was TJX storing the data to begin with, and are they willing to assume liability and responsibility for the problem they've created," [Can they avoid liability? Bob] he said.

... "This is already large, and growing," Little said. "We're not sure why the information is coming out in drips and drabs ... but it is."

... "Some customers get very, very upset when we reissue their card," said Rebecca Lougee, vice president of marketing. "Because by reissuing their card, we have to suppress their existing card. Then they get caught on vacation, or on the weekend, and their card is not active. Then they find themselves in an awkward position."



We all know that disclosure of “lost personal data” was mandated by law here in the US. 9Okay, some states...) But apparently not everyone thinks that way...

http://www.canada.com/nationalpost/financialpost/story.html?id=15bc386e-28ba-4ee2-a72a-68e9e5115d8a&k=89839

Watchdog pushed CIBC on lost file

Duncan Mavin Financial Post, with files from Paul Vieira Friday, January 26, 2007

Canada's privacy watchdog said yesterday that it forced Canadian Imperial Bank of Commerce to go public last week with the announcement it lost a file containing private data on half a million mutual fund customer accounts.

"We were very concerned about the direction they were planning to take with respect to notifying the public, and we encouraged them to be as open and transparent as possible," said Anne-Marie Hayden, spokesperson for the Office of the Privacy Commission of Canada.

... NDP Finance critic Judy Wasylycia- Leis also weighed in, expressing dismay that CIBC may not have gone public on the data gaffe without external pressure.

"That makes this even more horrific," Ms. Wasylycia-Leis said. "If Canadians think the banks will only comply with certain standards of decency under duress from Parliament, then we've got a serious problem on our hands."


...but sometimes we don't do such a great job either...

http://www.nj.com/business/ledger/index.ssf?/base/business-5/1169532666221410.xml&coll=1

Garden State Business Briefs

Tuesday, January 23, 2007

Personal information about an unspecified number of current and former Prudential Financial employees was on a handful of laptop computers stolen from a consulting firm's New York offices, Prudential told employees last week.

Towers Perrin, which provides actuarial services for Prudential's pension program, said the information included employees' names and Social Security numbers. Prudential, based in Newark, said a percentage of its 23,000 domestic workers, some former employees and a small number of retirees are affected.

Spokesman Bob DeFillippo declined to provide more specifics.

The five laptops were stolen Nov. 27 by a Towers Perrin employee, according to a complaint filed by the Manhattan District At torney. Prudential wasn't notified until Jan. 3 at the request of authorities, [What purpose does this serve? Bob] who arrested the Towers Perrin employee Dec. 28.

DeFillippo said Prudential didn't get a complete list of affected employees until Jan. 9 and a formal letter to those workers was sent last week.



What, you couldn't find it oh Google Maps? Sounds like a great opportunity for a smart lawyer...

http://games.slashdot.org/games/07/01/26/2026257.shtml

eBay Delisting All Auctions for Virtual Property

Posted by Zonk on Friday January 26, @03:39PM from the definition-of-what-is-real dept.

The growing popularity of Massively Multiplayer games has brought the issue of ownership rights in virtual worlds, and the appropriateness of what is called 'real money transfer' (RMT) into an increasingly public light.

... Following up on a rumour that's been going around I spoke today with a media representative for the company, who confirmed that eBay is now delisting all auctions for 'virtual artifacts' from the site. This includes currency, items, and accounts/characters; not even the 'neopoints' used in the popular Neopets service is exempt from this decision.

... Mr. Hani Durzy, speaking for eBay, explained that the decision to pull these items was due to the 'legal complexities' surrounding virtual property.



Not everyone would agree on the ranking, but if a company is not doing all of these are they negligent? There is much more detail in the article...

http://www.csoonline.com.au/index.php?id=1327256501&rid=-302

The best practices for network security in 2007

Gary S. Miliefsky, CSO Online 23/01/2007 16:25:34

... Here's my best practice list, in order of importance:

1. Roll out corporate security policies

2. Deliver corporate security awareness and training

3. Run frequent information security self-assessments

4. Perform regulatory compliance self-assessments

5. Deploy corporate-wide encryption

6. Value, protect, track and manage all corporate assets

7. Test business continuity and disaster recovery planning



http://www.law.com/jsp/article.jsp?id=1169719347007

Employers Winning Blog Suits -- So Far

Suits over work-related blogs sure to grow over defamation, trade secrets

Pamela A. MacLean The National Law Journal January 26, 2007

Litigation over employees blogging negatively about their jobs or bosses has been sparse, but most cases so far have come down on the side of the employer.

Yet observers predict that a pro-employer trend in litigation won't stop the growth of legal fights over blogs. The spontaneity and immediacy of computer blogging makes it as appealing as water cooler gossip only with a bigger watering hole, prompting companies to pony up policies controlling the practice.

"This is a challenge that has never before been confronted by the corporate environment," said Jerome Coleman, labor and employment litigator at Nixon Peabody's New York office.

The potential is there to disclose trade secrets, defame the company or create problems with co-workers and discrimination, he said. "But you can't put an outright ban on blogging," Coleman added.

Blogs, short for Web logs, have exploded in popularity in recent years because they allow anyone to publish pet peeves, gossip or anything from the serious to the mundane in a running commentary that can be updated easily.

Although the law is developing in the area, the few court rulings that have come down have been almost exclusively favorable to employers, according to Michael Fox in Ogletree, Deakins, Nash, Smoak & Stewart's Austin, Texas, office, who has had his own employment law blog for several years, "Employerslawyer."

"There are definitely people getting fired out there," he said, but added that there has not been much case law yet. One of the most famous concerns a Delta Airlines stewardess who posted photos of herself while posing in her uniform on her "Diary of a Flight Attendant" blog. Delta fired her and she sued for sex discrimination, Simonetti v. Delta Airlines Inc., No. 5-cv-2321 (N.D. Ga. 2005). The case is still pending.

... A few states protect private employee political speech, but even where there is no such protection, she envisions employers confronting the Railway Labor Act if they interfere with people gathering, through blogs, to critique such things as company benefits, wages and working hours.

... Another is the potential for a company to be dragged into a defamation action as a deep pocket if its resources were used for a blog that posts libelous material, she said. Disputes about employee blog posts will continue to show up in unfair termination cases, she said.

Friday, January 26, 2007

Now they change their procedures...

http://the.honoluluadvertiser.com/article/2007/Jan/25/br/br0713982546.html

Updated at 8:56 p.m., Thursday, January 25, 2007

State employee investigated in ID theft case

Up to 11,500 current and former clients of the Wahiawa Women, Infants and Childrens program are being notified that their personal information may have been compromised after the discovery of an ID theft case.

The Department of Health has put an employee of the WIC office on administrative leave and is investigating the security breach.

At least three families have had their information used illegally and the state is looking into at least two more cases.

"We are encouraging people to go and check their credit ratings and be on the lookout for any kind of suspicious activity," said Health Director Chiyome Fukino, M.D.

The department is recommending that all clients place a fraud alert on their credit files and notify the police of any suspicious credit activity, such as new cards or unauthorized charges.

Fukino said that the WIC program will no longer use Social Security numbers in its database to protect against future incidents. [“Up to now, we haven't given it a thought.” Bob]



Two questions. 1) Since it seems these “errors” are being detected and reported over the Internet all the time, can we assume they are “obvious?” 2) How many are not being reported because the first person to detect them simply took the data?

http://www.thecnj.co.uk/camden/012507/news012507_06.html

Camden New Journal - by PAUL KEILTHY Published: 25 January 2007

Customer details in bank bin bags left out in street

BARCLAYS Bank left the account details of customers in bin bags lying overnight in one of London’s busiest streets and tried to cover up when a New Journal investigation revealed the lapse.

When questioned on Friday, a spokesman for the banking giant repeatedly denied it left bin bags containing paying-in slips, statement details and bank questionnaires in Tottenham Court Road in 2006.

But the evidence, seen by the New Journal, had already been disclosed at Highbury Corner Magistrates’ Court on Thursday, when the bank admitted litter charges brought by Camden Council and was ordered to pay £1,650 in fines and costs.

The chairwoman of magistrates hearing the case was passed photographs taken as evidence by Camden Council enforcement officers, including pictures of the contents of the bags. Sandra Forsyth JP remarked: “These appear to have account details on.” Stuart Hammill, the lawyer acting for the council, agreed, before pointing out that the bags’ contents were not relevant to the offence.

One of the photographs submitted as an exhibit showed a full bag of papers, on top of which is a completed paying-in-slip which appeared to have been crumpled up. Others showed what appeared to be completed questionnaires containing personal details of customers, and print-out statements recording transactions from a bank account.

But asked about the contents of the bags, a Barclays spokesman said: “To the best of our knowledge the evidence presented at court did not contain any of those items.” He added: “The paying-in slip was just a blank paying-in slip. (It) was devoid of information.”

A Barclays statement said: “Additional steps have been implemented to seek to prevent a recurrence. We would emphasise the security of customers’ money and confidential information is the highest priority.”

The council declined to release the pictures. A spokesman said: “Our legal department have advised we cannot release the photographs used in court due to data protection issues arising from some confidential information being visible in the pictures.”

Barclays pleaded guilty to three counts of leaving rubbish in bin bags outside its Tottenham Court Road branch in February and March last year. “The bank very properly and promptly changed the system when the problem came to light,” its lawyer told the court.



So, that makes everything okay?

http://seattletimes.nwsource.com/html/businesstechnology/2003541873_bizbriefs26.html

Stolen Boeing laptop is recovered

A stolen Boeing laptop containing personal information on 382,000 workers and retirees has been recovered.

In an e-mail to employees, Senior Vice President Rick Stephens said Boeing and a third-party computer-security consultant had confirmed that the files with personally identifiable information were not accessed after the theft. [I would be most curious to know how they determined this... They must be very, VERY sure to make such an absolute statement. Bob

Stephens said Boeing will still honor its commitment to pay for three years of credit monitoring for any employees whose information was on the computer.

The employee responsible for the laptop was fired soon after it was lost in December.



Here is the kind of advice TJX should be getting! (Tylenol is still the classic MBA case study.)

http://www.boston.com/business/globe/articles/2007/01/26/elephants_dont_dance/

Elephants don't dance

By Steve Bailey, Globe Columnist January 26, 2007

TJX is no Johnson & Johnson. And right now Ben Cammarata is looking like no James Burke.

A quarter of a century after the bold decision by Burke, then chairman of Johnson & Johnson, to pull 31 million bottles of Tylenol capsules off the shelves remains the gold standard in corporate crisis-management. Seven people died from Tylenol laced with cyanide, and the Madison Avenue crowd was saying one of the world's best brands would never recover.

Burke succeeded by putting the customer first. Going against the advice of government agents and his own executives, Burke ordered a massive recall, which cost the company $50 million after taxes. Rather than hunkering down, Burke went on "60 Minutes" to explain what happened and dedicated the firm to the investigation. When Tylenol returned to the stores, it was in new triple-sealed packages and J&J gave away 80 million $2.50 coupons redeemable toward any Tylenol product.

The result: Tylenol regained more than 80 percent of its market share within a year. You'll find it in my medicine cabinet today.

The crisis that has engulfed TJX is not about life and death. But it is about consumer trust. This is retailing we're talking about, the most Darwinian of businesses, where only the strongest survive. If I can't trust the Marshalls brand, why not go to Target?

Millions of credit and debit cards may have been exposed by a security breach at Framingham-based TJX in what could become the nation's largest case of stolen consumer data. In the first line of its first public disclosure about the breach, TJX said it was "victimized by computer systems intrusion." Wrong. It is TJX's customers who were victimized by the criminals and TJX itself.

There is plenty of blame to go around. It is not news that identify theft and credit card fraud are problems, but government -- federal and state -- has been slow to act. The credit card companies and the banks have been noisy in pointing the finger at TJX -- no small irony from an industry that stuffs our mailboxes every day with yet another low-low credit offer.

But this particular problem belongs first to TJX. It was TJX that left a window open and let the bad guys sneak in and make off with its customers' credit data. What about it, Ben Cammarata? Did you wait a month to tell your customers because the cops asked you to or because you were in the middle of the Christmas selling season? Why are you still "considering" whether to offer free credit monitoring to customers? Why have customers who had their license numbers stolen not gotten so much as a letter from you?

Debra Gibbons of Needham, a long-time TJX shopper, wants to know. She got a call from her credit card company saying her account was on fraud alert. Said Gibbons: "To close the account or not to close the account, that was the question. I closed the account . . . TJX owes the public something more than lip service. We want answers and we want them now."

Cammarata is a world-class retailer who preaches the value of "sweaty palms" -- that is, always sweating the suppliers until the last minute for the best prices. But as a leader amid one of the company's worst crises, he has been invisible. If TJX were a different kind of company and Cammarata a different kind of leader, company and chairman could become the champion for the need to do something about identify theft and credit card theft. But then elephants don't break dance, either.

Now it is TJX's customers doing the sweating. Repeat after me, Chairman Cammarata: The victim is the customer, not the company. The victim is the customer, not the company. If TJX takes care of its customers, the customers will take care of TJX. If not, there is always Target.



A solution for TJX-like companies? (Their customers, actually.)

http://news.com.com/IBM+donates+new+privacy+tool+to+open-source/2100-1029_3-6153625.html

IBM donates new privacy tool to open-source

By Joris Evers Story last modified Fri Jan 26 05:57:34 PST 2007

IBM has developed software designed to let people keep personal information secret when doing business online and donated it to the Higgins open-source project.

The software, called "Identity Mixer," was developed by IBM researchers. The idea is that people provide encrypted digital credentials issued by trusted parties like a bank or government agency when transacting online, instead of sharing credit card or other details in plain text, Anthony Nadalin, IBM's chief security architect, said in an interview.

"Today you traditionally give away all of your information to the man in the middle and you don't know what they do with it," Nadalin said. "With Identity Mixer you create a pseudonym that you hand over."

For example, when making a purchase online, buyers would provide an encrypted credential issued by their credit card company instead of actual credit card details. The online store can't access the credential, but passes it on to the credit card issuer, which can verify it and make sure the retailer gets paid.

"This limits the liability that the storefront has, because they don't have that credit card information anymore," Nadalin said. "All you hear about is stores getting hacked." [Only the ones who eventually detect it... Bob]

... To get Identity Mixer out of the lab and into the real world, IBM is donating its work to Higgins project, a broad, open-source effort backed by IBM and Novell that promises to give people more control of their personal data when doing business online. Higgins also aims to make the multiple authentication systems on the Net work together, making it easier for people to manage Internet logins and passwords.



Guess where the National Hazardous Waste repository will be located?

http://digg.com/politics/Maine_Rejects_National_ID_Cards

Maine Rejects National ID Cards

State's legislature overwhelmingly opposes act requiring national digital ID cards, putting Bush administration in a pickle.

http://news.com.com/2100-7348_3-6153532.html?tag=nefd.top

[From the article:

Both chambers of the Maine legislature approved a resolution saying the state flatly "refuses" to force its citizens to use driver's licenses that comply with digital ID standards, which were established under the 2005 Real ID Act. It asks the U.S. Congress to repeal the law.



Antitrust?

http://apple.slashdot.org/article.pl?sid=07/01/25/2341240&from=rss

Norway Outlaws iTunes

Posted by CowboyNeal on Thursday January 25, @09:37PM from the run-out-of-town dept.

haddieman notes that while many people are getting more and more annoyed at DRM, Norway actually did something about it. The PC World article explains: "Good intentions, questionable execution. European legislators have been giving DRM considerable attention for a while, but Norway has actually gone so far as to declare that Apple's iTunes store is illegal under Norwegian law. The crux of the issue is that the Fairplay DRM that is at the heart of the iTunes/iPod universe doesn't work with anything else, meaning that if you want access to the cast iTunes library, you have to buy an iPod."



Meta-surveillance? Quis Custodiet Custodes Ipsos?

http://techdirt.com/articles/20070125/115810.shtml

Scotland Mulls Surveillence Cameras To Prevent Anti-Surveillence Camera Vandalism

from the endless-loop dept

As surveillance and speed cameras become ubiquitous in society, instances of vandalism against the cameras are becoming increasingly common. In Scotland, it's apparently gotten so bad that the government is considering the brilliant solution of installing cameras that watch the other cameras (via Hit & Run), for the sole purpose of detecting vandalism. Of course, we probably don't even need to mention the obvious issue with this plan: won't they need yet another camera to watch over these cameras?



What impact on Business Continuity? What recourse do they have?

http://techdirt.com/articles/20070125/102430.shtml

MySpace And GoDaddy Shut Down Huge Archive Of Security Mailing Lists

from the silly-companies dept

Rich Kulawiec writes in to point out that Seclists.org, a site that archives various security-related discussion email lists (and run by Fyodor, author of nmap, and generally well-known within the security realm) was yanked offline completely yesterday thanks to a bogus complaint from MySpace to the registrar/hosting company Fyodor used, GoDaddy. It seems that MySpace was freaking out that yet another big list of MySpace usernames and passwords had leaked (and spread all over the net). So, they went into damage control mode. A few copies of the MySpace list had been mailed to one of the security mailing lists archived as Seclists, and rather than simply asking that they be removed, MySpace went straight to the hosting company to get the entire domain turned off -- which GoDaddy did without question (or giving Fyodor a chance to appeal). In other words, they shut down a huge domain full of useful information that was used by a lot of people, over one complaint on some information that is widely available all over the internet. Fyodor also notes that these types of bogus requests to hosting companies and registrars are only increasingly lately. It seems like there may be an opportunity for a registrar hosting company to advertise that they don't wilt at the first sign of legal language, and at least give their customers a chance to respond.



A tool for new students? Do you think the administration will freak?

http://googleblog.blogspot.com/2007/01/show-us-your-university-campus-in-3d.html

Show us your university campus in 3D

1/25/2007 09:34:00 AM Posted by Allyson McDuffie, Google SketchUp Education Program Coordinator

Today the Build Your Campus in 3D Competition begins. This spring, you and your (presumably equally artistic) friends can honor your campus turf as you hone your 3D design skills just by modeling your school's campus buildings in Google SketchUp, geo-reference them in Google Earth, and submit them through the competition website to earn lasting online glory. And the winners get a visit to Google, all expenses paid.



We already know that more people vote for the next American Idol than vote in presidential elections. Perhaps we should produce “The Next American President?” (Would make a good Saturday Night Live skit anyway...)

http://digg.com/television/Idol_Outshines_State_of_the_Union

'Idol' Outshines State of the Union

Coverage of the president's State of the Union Address blanketed the 9 p.m. hour among all the major networks, while "American Idol" at 8 p.m. earned a higher rating than all four network airings of the Address combined.

http://www.tvweek.com/news.cms?newsId=11446

Thursday, January 25, 2007

Oh, gee! What a shock!

http://www.metrowestdailynews.com/homepage/8998981813082783742

Bankers group says fraud tied to TJX data breach

By Andrew J. Manuse/Daily News staff Wednesday, January 24, 2007 - Updated: 06:21 PM EST

FRAMINGHAM - The Massachusetts Bankers Association on Wednesday reported the first cases of fraud linked to the security breach announced last week by The TJX Cos. Inc., which operates T.J. Maxx, Marshalls and other stores.

The Boston trade group said several of Massachusetts banks reported debit and credit card information was fraudulently used to make purchases in Florida, Georgia and Louisiana, and in Hong Kong and Sweden.

Right now it's just a handful of cases, but we think it's going to increase significantly,'' said Bruce Spitzer, a spokesman for the bankers association. “As we go forward, and the cases increase, we're not going to be able to count them all. [“Management admits it can't count!” Bob] Our intention is to make people aware that they need to be extra vigilant in monitoring their accounts and your bank has to do that as well.''

... Sherry Lang, a spokeswoman for TJX, said the segment of data the company knows was stolen from its computers included “substantially less than millions of account numbers.'' She said she was unable to give a more definitive number because the company itself does not know the extent of the breach.

... “If it comes back to us, we will deal with it appropriately, but we'd need appropriate documentation (of the fraud).'' [“Which we will probably not be able to match...” Bob]

... The breach was discovered in mid-December but was kept secret until last week because of a company decision as well as a request from law enforcement officials.

Part of the reason we held off was we believed, in doing so, we would be further protecting the data of our customers,” Lang said. [Security through obscurity! Bob]



We should probably start a lawsuit database to compare strategies on these Identity Theft cases...

http://www.indystar.com/apps/pbcs.dll/article?AID=/20070124/BUSINESS/70124028

1:24 PM January 24, 2007

St. Francis sued over info breach

Star report

A lawsuit filed in Marion County accuses Sisters of St. Francis Health Services and its outside contractor of exposing 260,000 patients in Indiana and Illinois to the possibility of identity theft.

Greenwood resident Michael Chaney, one of the victims receiving a letter from contractor Advanced Receivables Strategy, is suing the hospital system and ARS over what his attorney claims were violations of privacy and negligence.

The breach occurred last summer, when an employee of Tennessee-based ARS mistakenly left compact discs containing patients' names and Social Security numbers in a computer bag being returned to a retail store. The patients were notified about the incident in October.

Chaney's lawyer, Scott Benkie, filed a federal lawsuit at U.S. District Court seeking class-action status, a suit that he said was voluntarily dismissed. The new suit filed Tuesday was done in Marion County Superior Court.

Chaney told the Star that he decided to sue because he felt his personal information was handled carelessly.

The suit filed Tuesday seeks damages of at least $1,000 for each affected class member. The CDs contained information on about 260,000 patients and about 6,200 employees, board members and physicians associated with St. Francis.

There's a question still as to whether people had their information breached because of the exposure.

"We've had a few people contact us who had issues with their information," Benkie said.



Looks like someone was paying attention – and not the school district. (You should only make statements like this if you are willing to bet your job.)

http://www.corsicanadailysun.com/news/local_story_024100443.html

CISD says new system secure

By Janet Jacobs

Call it the Permanent File to end all permanent files.

When the Corsicana school system goes to the new Skyward student records computer system, expect it to be fairly encompassing, but it’s got some parents concerned about privacy.

The new records system is capable of compiling all the information about every child in the district, keeping it as long as the student is enrolled. [“When your child's college wants a transcript, we'll tell 'em, “Sorry, we deleted everything upon graduation – for privacy reasons, you know.” Bob]

This includes health and immunization records, attendance, class schedules, grades, discipline, school bus route, or pickup times, even locker combinations, although it’s unsure how much of that will be used immediately.

... Corsicana will only be using the student records software for now. At a future date, the district could add the nutrition software, which keeps track of everything a child buys in the cafeteria.



Tools & Techniques Looks like vendors are starting to offer tools that management should already have in place...

http://www.eweek.com/article2/0,1759,2087164,00.asp?kc=EWRSS03119TX1K0000594

Provilla to Fight Leaks with Document 'Fingerprints'

January 24, 2007 By Matt Hines

A software startup is hoping to plant its flag in the rapidly expanding data leakage prevention sector using a technique that marries traditional endpoint security controls with a document-based system that assigns a digital fingerprint to each piece of protected content.

Provilla, based in Mountain View, Calif., moved out of quiet mode on Jan. 22 and launched its first product, LeakProof, an application sold as an appliance, which aims to help companies stop workers or outside attackers from either mistakenly or intentionally copying sensitive data from their networks into messaging systems, Web applications or mobile storage devices.

As part of the launch, Provilla also introduced LeakSense, a free software application that promises to help administrators observe workers' data-handling activities and isolate potential problems that programs such as LeakProof seek to prevent.



THIS is what erodes freedoms... Indifference.

http://www.eweek.com/article2/0,1759,2087177,00.asp?kc=EWRSS03119TX1K0000594

Survey: Nobody Really Cares that Big Brother Is Watching

January 24, 2007 By Deborah Perelman

Despite employer policies, threats and monitoring, the vast majority of workers still use company technology for personal use, according to a survey commissioned by Lawyers.com, released Jan. 24.

Though nearly one-half (45 percent) of respondents reported that they been explicitly informed by superiors that their technology usage at work is monitored, most still use it for personal tasks, the survey found.

Of the adult U.S. office workers surveyed, 69 percent said they use the Internet for non-work purposes while at work; 69 percent said they make and receive personal phone calls on their work telephones; and 55 percent said they send or receive personal e-mails on work e-mail accounts.

Almost three-quarters of those surveyed, 73 percent, reported that they are as likely or more likely to use the Internet at work for personal reasons than they were two years ago, and 68 percent reported the same in regard to personal e-mail.

According to the survey results, younger workers were more likely to make information about their private lives available online, opening themselves up to unintended exposure in front of employers. Of the 18- to 34-year-old workers surveyed, 71 percent maintained some sort of personal Web site, blog or personal networking account, 52 percent had MySpace or Facebook profiles, and 13 percent currently had online dating accounts.

Younger workers were also the most likely to use their employers' technology for personal reasons. Nearly three-quarters (72 percent) reported checking personal e-mail accounts during work (compared to 61 percent of the total surveyed), and 77 percent said they used their Internet access at work for personal reasons (compared to 69 percent of office workers overall).



At least the ISPs are safe...

http://googlewatch.eweek.com/content/youtube/foxs_piracy_czar_subpoenas_youtube_over_pirated_24_and_simpsons_episodes.html

Wednesday, January 24, 2007 4:03 PM/EST

Fox's Piracy Czar Subpoenas YouTube over Pirated "24" and "Simpsons" Episodes

D'oh! Twentieth Century Fox has subpoenaed YouTube to reveal the identity of users who uploaded four episodes of the TV series "24" and twelve episodes of "The Simpsons," Google Watch has learned.

The subpoena reads, in part:

On or about January 8, 2007, Fox became aware that a subscriber ("the Subscriber") of YouTube Inc.s' Internet-based service uploaded pirated copies of the works onto YouTube, making it available for illegal viewing over the Internet to anyone who wishes to watch it. Fox has not authorized this distribution or display of the works. The subpoena request YouTube, Inc. to disclose information sufficient to identify the Subscriber so that Fox can stop this infringing activity.

YouTube declined to comment. A phone call to Fox's legal representation was not returned.

The subpoena includes the testimony of Jane Sunderland, vice president of content protection and anti-piracy for the Fox Entertainment Group.

Sunderland's portion of the subpoena, which is her personal testimony that the infringing activity is occurring, says that Fox has been unable to determine on their own who has been uploading the Works. The uploaded Works are also causing Fox irreparable harm (standard legal language).

Sunderland also testifies that Fox sent an official letter to YouTube on January 8. Although I haven't been in touch with News Corp yet, I assume YouTube didn't remove the videos promptly enough, hence the official subpoena.

A quick search on YouTube only revealed trailers for "24," although given how poorly the site's search function works some videos may yet exist. There are several Simpsons excerpts available, though I didn't see any full episodes.

Update: Andrew Wallenstein and Carl DiOrio at The Hollywood Reporter have more details about the subpoena, including the YouTube user's name (ECOTotal) and that a subpoena was also served to a site called LiveDigital.



This means my blog is safe, right?

http://techdirt.com/articles/20070124/093337.shtml

Court Reinforces, And Even Expands, Site Owners' Immunity For Other People's Content

from the no-libel-for-you dept

The Communications Decency Act, passed in 1996, was, like so many other government attempts to regulate technology, something of a mess. However, it does have one bright spot: Section 230, which generally says that site providers aren't liable for content on their sites which they didn't post. Typically, this refers to things like comments and forums. For instance, if a commenter here made a libelous or otherwise defamatory statement, they're liable for it, not Techdirt. This has been held up several times in various courts, because it makes sense to target the actual source of the defamation, not the platform provider. There have been repeated efforts to narrow the scope of Section 230, but a recent decision seems to have expanded it a little bit.

A federal judge in Texas has ruled that Yahoo wasn't liable in a civil case for an child pornography online group set up and moderated by a user on its servers. The user's in jail on criminal charges stemming from the group, but a civil suit targeted the ISP with a variety of claims, though the judge ruled that Section 230 gave them immunity, even though it was alleged Yahoo had broken the law by hosting child porn. This means that people can't file civil cases against site owners or hosting providers, and use the allegation of criminal conduct as a way to get around Section 230. The law was also intended to foster self-regulation of obscene and illegal content by service providers, and immunity is an important aspect of that. Lawsuits often try to allege that if a service provider regulates any content on their servers, they're legally liable for all of it -- something that's wholly impractical, particularly for a service the size of Yahoo Groups. The judge rightly notes in the decision (PDF) that to allow suits on either basis (alleging criminal activity, or that any level of regulation creates liability) would have a chilling effect on online speech, which is something Congress didn't want to do in enacting the law. To do so would not just stifle online speech, but it would also stifle innovation -- since any sort of interactive or user-generated content could create an impossible level of legal liability for site owners.



“Hi there! Allow us to demonstrate why we should be trusted to conduct your elections...”

http://techdirt.com/articles/20070123/134221.shtml

Diebold Shows Anyone How To Break Into Their E-Voting Machines

from the yikes dept

Well, this is just fantastic. Following the claims that there's no real problems with e-voting machines, almost immediately followed by reports of massive fraud with e-voting machines in Brazil, Alex Halderman is pointing out that Diebold, in their infinite wisdom, are making it ridiculously easy to break into their machines. Halderman was a part of the team that showed that Diebold's locks on their e-voting machines used a default key that was common to many hotel minibars and could be found easily in many places. However, the researchers who noted this were still careful never to show the actual key, preferring not to help anyone who seriously intended on breaking into the machines. Diebold, on the other hand, isn't so careful. The company, that has continually played down reports of security flaws is apparently selling the very key you need to break into their boxes on their online site... with a picture of the key. You need to be a Diebold account holder to buy it, but anyone can look at the key and then figure out how to make their own copy -- and, in fact, that's exactly what someone did. He used the picture to cut his own keys and sent the keys to Halderman, who found that two of the three keys opened the Diebold locks with ease. The guy who discovered this notified Diebold a month ago, but Diebold did not respond and has not removed the image of the key from their website. [Up until now, it was merely ignorance, now it's stupidity. Bob



Well, that makes imperfect sense.

http://digg.com/world_news/Border_Patrol_ordered_Not_to_Arrest_Illegal_Border_Crossers

Border Patrol ordered Not to Arrest Illegal Border Crossers

U.S. Border Patrol agents have been ordered to NOT apprehend people crossing our border illegally.

http://www.metacafe.com/watch/398640/border_patrol_ordered_not_to_arrest_illegal_border_crossers/



Looking for a template for your presidential campaign?

http://www.bespacific.com/mt/archives/013711.html

January 24, 2007

Guiliani Dossier of Campaign Documents Online

From Politico.com, "a dossier [126 pages, PDF] of confidential Giuliani campaign documents of which the campaign lost possession in early November [2006]. The documents appear to have been prepared by Giuliani's chief fundraiser, Anne Dickerson. Some personal information, largely cellular phone numbers, was redacted."



I wonder if we'll start seeing a lot of similar recommendations?

http://slashdot.org/article.pl?sid=07/01/24/210234&from=rss

Koreans Advised to "Avoid Vista" for Now

Posted by ScuttleMonkey on Wednesday January 24, @05:19PM from the as-long-as-warcrack-still-works dept. Windows Software

An anonymous reader writes "The Chosonilbo reports that several government ministries in South Korea are advising users not to install Windows Vista, at least until popular online services can be made compatible. The problem is that ActiveX is pervasive in the Korean webspace, employed by everyone from web games to online banking. Upgrading to Vista is expected to render many of these services unusable. Portions of the popular "Hangul" word processor, a major competitor to Office in that country, are also not functioning under Vista. The Ministry of Information is planning to publish compatibility information for popular websites, and urging users to carefully research the implications of upgrading."

[Interesting that they blame this on Bill Clinton... See the comments. Bob]



...there's not enough tension in the world... So much for the “we need the energy” argument.

http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/01/24/wiran24.xml

N Korea helping Iran with nuclear testing

By Con Coughlin Last Updated: 3:23pm GMT 24/01/2007

North Korea is helping Iran to prepare an underground nuclear test similar to the one Pyongyang carried out last year.

Wednesday, January 24, 2007

Even lawyers can be victims... Note that this is the entire story – what do you suppose they had on their computers?

http://www.orlandosentinel.com/news/local/orange/orl-mcfbriefs24_507jan24,0,6292858.story?coll=orl-news-headlines-orange

Law firm robbed

January 24, 2007

Orlando -- Thieves made off with 18 laptop computers from one of Orlando's most prominent law firms late Monday or early Tuesday, stealing them from the 19th floor of the AmSouth building downtown.

The theft was from the offices of Foley & Lardner LLP. In a statement, the firm said business operations were not affected and client information was safeguarded. It said the computers automatically encrypt data and render information on them unusable to others. [Remember, this could be a “bet the business” level risk. Bob



Management had no clue?

http://www.blogs.oregonlive.com/oregonian/businessupdates/default.asp?item=449134

Xerox workers discover months-old data theft

Posted by The Oregonian business desk January 22, 2007 14:43

A union representing Xerox Corp. workers in Wilsonville said today that the technology company failed for months to alert them to a records breach that affected about 300 current and former employees.

Members of UNITE HERE Local 14Z said a laptop stolen from a locked vehicle at a human resource manager's home last fall contained an unencrypted file with social security numbers, pay figures and home addresses of 300 current and former employees.

The theft occurred in late August, but union officials said Xerox didn't inform employees of the breach until Dec. 18.

"They should've at least erred on the side of caution and let us know," said Anthony Irwin, a union steward and manufacturing worker at Xerox. Irwin said that since October, his social security number has been used without his approval to open eight cellphone accounts with three different carriers. "It's cost me time and effort. I didn't know what was going on."

Xerox spokeswoman Erin Isselmann said the delay occurred because the company had to conduct a forensic examination of the laptop's files. [Which they don't have? Bob] The laptop was not backed up, she said, requiring Xerox to contact everyone who had e-mailed the Xerox employee to track the laptop's contents.

The personnel data was attached to an e-mail that had been sent more than a year earlier, Issellman said. She said the laptop's contents are password protected. Xerox employs 1,800 in Oregon, including 1,600 in Wilsonville, but the theft affected only the 300 union members.

Xerox has offered to provide one year of daily reports of affected workers' credit ratings. Isselmann said Irwin has been unwilling to work with Xerox in investigating his claims.

"It's going to be hard to figure out if that was ever tied to this," she said.



http://www.newvision.co.ug/D/8/12/544949

Vital NSSF data stolen

Publication date: Tuesday, 23rd January, 2007 spotlight@newvision.co.ug BY F. AHIMBISIBWE

THE Police are investigating an incident in which over 36 computers of the National Social Security Fund (NSSF) were vandalised and their hard disks stolen amid fears that vital information could have been lost.

The Head of the Fraud Unit, John Bwango, said yesterday unknown thugs broke into the NSSF offices at Amamu House located on George Street and destroyed the computers before extracting their operating systems. [Not your typical “let's steal a computer” then... Bob]

He said the incident, which took place ‘some days before Christmas’, hinted at an inside job.

... NSSF communications and marketing manager, Charles Muhoozi, downplayed the incident.

Our operations department confirmed that it was a small incident which can not affect our operations,” he said. [See, self-serving PR is not limited to US business... Bob]

... NSSF has over one million registered members.



This is a follow-up...

http://www.columbusdispatch.com/business/business.php?story=241942

Insurer’s customer data was swiped

Identity-theft concern is low, Nationwide says

By Denise Trowbridge The Columbus Dispatch Wednesday, January 24, 2007

The personal information of tens of thousands of Nationwide customers has been stolen.

The company said yesterday that a lockbox of backup tapes containing the personal data of 28,279 Nationwide Health Plans customers, most in central Ohio, was stolen from the Waymouth, Mass., office of Concentra Preferred Systems.

... In the Nationwide case, the tapes contained medical claim information, health data and Social Security numbers.

... The theft occurred Oct. 26 and Nationwide was made aware of the incident two weeks later. Letters notifying customers were mailed last week by the company. A notice about the theft appeared on Concentra's Web site Dec. 1.

... Nationwide determined that the risk of identity theft as a result of this incident is very low, Switzer said.

... Ohio law requires companies to notify customers of data breaches within 45 days, but only if the company believes there is a "material risk of identity theft."

... Still, customers are usually mad when they find out months later that their data was compromised, said Paul Stephens, policy analyst with the Privacy Rights Clearinghouse in San Diego.

"It shouldn't take that long to notify customers," he said, but businesses "have no financial incentive to tell them" about a breach.

... The stolen tapes also contained personal information for participants in several other health-insurance plans, including 130,000 Aetna and 42,000 Group Health Insurance customers, according to the Privacy Rights Clearinghouse.

Those companies notified customers of the breach in mid-December.



Here's a quick analysis from Gartner...

http://www.gartner.com/DisplayDocument?doc_cd=145963&ref=g_homelink

TJX Retailer Data Attack Points to Need for Bank Action

23 January 2007 Avivah Litan

Cyber thieves have stolen customer data from a large retail chain. Banks must also own up to this problem and change their payment systems so that, even if data is stolen, it is useless to the thieves.

tjx_retailer_da...pdf (114.8KB)



This didn't take long...

http://www.suntimes.com/news/politics/224519,CST-NWS-data23.article

Social Security data puts 1.3 mil. voters at risk: suit

Elections Board hit with suit over breach

January 23, 2007 BY ART GOLAB Staff Reporter

The release of more than 1.3 million registered voters' Social Security numbers by the Chicago Board of Elections has triggered a class action lawsuit, which was filed Monday in County Circuit Court.

Lead plaintiff in the suit is 43rd Ward aldermanic candidate Peter Zelchenko, who discovered the security breach and who also uncovered a similar problem last October on the board's Web site. The most recent release of at least 100 compact discs to alderman and ward committeemen, with another six discs unaccounted for, was revealed on Monday in the Sun-Times.

The suit, filed by attorney Nicholas Kefalos, alleges the board violated the Illinois Personal Information Protection Act and seeks unspecified compensation for all Chicago voters whose Social Security numbers were disclosed.

"Actual damages could be $50 or $100 for each person to at least establish a credit watch," Kefalos said.

The CDs also included birth dates, phone numbers and addresses.

"You couldn't have come up with a better threat for identity fraud if you had orchestrated it," [“IF?” This is Chicago! Bob] Zelchenko said.

Law requires notification

But board spokesman Tom Leach said most of the CDs were distributed three years ago, and that since then there has been "absolutely no evidence" of identity theft. [Perhaps they just didn't know who was responsible? Bob]

"We don't want the message to get out that there should be panic in the streets," Leach said.

The board is attempting to retrieve the discs.

Though required by law to notify voters of the breach, Leach said the board will not do so individually, but will instead advertise. [Does this meet the requirements of the law? Bob]

So, right now, voters have no way of knowing whether their information was exposed.

But since the board stopped collecting full Social Security numbers about three years ago, those who registered earlier are at greater risk.

Plaintiff's site may aid voters

Kefalos said that people who register with Zelchenko's Web site, Re4m.org, will be notified if their Social Security numbers were exposed as soon as the courts give permission.

He intends to file a similar suit in federal court today.

In a separate action, other class action lawsuits were filed against the Chicago Board of Elections in Cook County and federal courts by Meliza Aldea, Romeo Aldea and Robert Green, noting concerns about privacy rights.



If all it takes is to call them stupid, the world would be a much safer place...

http://www.cokepubandbar.co.uk/CokePubandBar/lic_news.jsp?article=18040745

Cops cut red tape on hooligan photos

(23/01/2007 : 17:00:31)

A police force has backed down on its ban on releasing photographs of known pub hooligans following protests that it was barmy. [Okay, you have to use the British term for stupid... Bob]

As reported here last week, Greater Manchester Police had previously said that releasing photos could breech data protection laws and could be abused, a decision that stunned licensees who wanted to keep out troublemakers.



Let's build a system that allows you to 'guess' at valid SSANs and the government will then confirm they are valid.” Oh, great!

http://www.govexec.com/dailyfed/0107/012307cdam2.htm

Lawmakers decry firewall limiting DHS agency's investigations

By Terry Kivlan, CongressDaily

Stung by federal immigration raids on Swift and Company meat-packing plants in their states, a group of senators vowed Monday to tear down the legal wall limiting the Homeland Security Department's access to Social Security information.

Due to the wall, the department's "Basic Pilot" database for checking the employment eligibility of newly hired non-citizens allows employers to weed out only workers using false Social Security numbers, not actual numbers obtained through identification theft.

... Current law bars the Social Security Administration from giving information on applicants to the Social Security system who were rejected because their numbers might have been obtained through fraud. Since the information comes from tax returns, it is protected by IRS privacy rules, said SSA spokesman Mark Lassiter.



This got me thinking... Should I set a number of challenges for my “How to Hack” class, such that they MUST break in to each to get an “A?”

http://www.9news.com/news/article.aspx?storyid=63092

Students hack into school system, change grades

written by: Jeffrey Wolf , Web Producer and Nelson Garcia , Reporter created: 1/12/2007 9:37:35 PM Last updated: 1/12/2007 10:34:03 PM

Students hacked into Golden High School's computer system and changed grades. 9NEWS at 10 p.m. January 12, 2007.

GOLDEN – All is not golden at Colorado’s oldest school. Administrators are investigating reports that hackers got into Golden High School’s computer system and changed grades.

Students say it’s causing lots of confusion and frustration at the end of the first semester.

I think it's pretty extreme and almost pathetic really,” said Jamie Hamilton, a senior.

Investigators are looking into whether students hacked into the campus portal system, which is meant to give parents access to grades, schedules and attendance records.

People started giving themselves A’s,” said Hamilton.

And everyone was getting accused of doing it,” said Hannah LaFalche, a sophomore. [Because there are no records? Bob]

Golden High School students say the hackers changed the grades for themselves and others just before winter break and the end of the first semester.

I didn’t think students could get in so easily,” said Brooke Palmer, a sophomore.

Students’ reactions range from frustration to amusement.

I think it’s kind of sad that people feel they have to cheat like that,” said Hamilton.

Pretty naughty, but I give them props for getting in,” said a laughing Palmer.

Administrators do not even know how many grades may have been changed. [Typically, ANY change to a database should be logged, if only for backup purposes... Bob] It could be low as 15 students or as high as 200.

Students are now being asked to go back and prove what grade they should be receiving.

The teachers don’t know what to do because they don’t keep their hard files, they just keep them on the computers,” said LaFalche.

Students say teachers are asking them to bring back what they can; tests, notebooks, anything and everything.

That was a big deal, having to bring back all of your homework,” said LaFalche.

Jefferson County Schools Superintendent Cindy Stevenson declined to go on camera for 9NEWS but says her staff is working hard to find out how it happened. When they do, she says security will be improved.

The district will not say if any students have been caught or how many are suspected of hacking into the system.

Stevenson says parents can have confidence in the integrity of the campus portal system. [Nonsense! Bob]

Golden students say they wonder if they can have confidence in their grades.


...but then, it may already be a national sport...

http://www.toledofreepress.com/?id=4718

Clay High School student hacks into Oregon schools data

By Autumn Lee Toledo Free Press Staff Writer

Oregon City Schools Superintendent John Hall confirmed an information security breech occurred Jan. 12 when a Clay High School student obtained confidential student and staff information through inappropriate means.

Hall has sent out letters notifying the local community about the incident.

Hall said the student, who he didn't name, shared with another student that he or she had accessed the information. The student who learned of this told a staff member midday.

The administration immediately investigated the situation and has taken the computers pertinent to the incident for analysis. [Must be considerd in your Disaster Planning... How many can you afford to lose? Bob] The administration learned the student had transferred the information to portable 30-gigabyte storage device. That device has been confiscated. [Unless the student swapped them... Bob]

... Zale said she has some forensic analysis work to do on some of the high school's computers. She confirmed that Oregon police are now in possession of the student's portable storage device. From investigation work she has completed, she has ascertained the student's external device has district-wide personal information, such as names, addresses, birthdays and Social Security numbers of students, and information on Clay faculty and staff. [No mention of a notice to those impacted? Bob]



Shouldn't you know what a “Critical communication” will look like? I would want them flagged and sent to AT LEAST one human.

http://digg.com/tech_news/Google_lost_domain_because_they_didn_t_deny_an_automated_transfer_request

Google lost domain because they didn't deny an automated transfer request

Yesterday Google lost its German domain google.de for several hours when they failed to respond to an automated transfer request. A user of web hosting startup Goneo had claimed to be the owner of the domain and tried to transfer it to the hoster. DeNIC, the registry for the .de TLD, asked Google and read their lack of reply as OK (common practice)

http://news.monstersandcritics.com/business/news/article_1250365.php/Googles_German_site_briefly_hijacked



Today, my loyalty cards. Tomorrow, your RFID credit cards!

http://digg.com/software/Sweet_webapp_consolidates_all_your_shoppers_club_cards_into_a_single_card

Sweet webapp consolidates all your shoppers club cards into a single card!!

"The goal is to fix the problem of having to carry around tens of loyalty, discount, and club cards every time I go shopping. I finally broke down and created this page when I realized my wallet was way too thick and 3/4 of the thickness was from the various supermarket and other loyalty cards."

http://www.justoneclubcard.com/



A “grate” idea? Business opportunities are where you find them...

http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20070123005258&newsLang=en

January 23, 2007 08:00 AM Eastern Time

TrustedID Unveils World’s First Free Search Engine To Check For Theft of Personal Information

Consumers can search more than 2 million pieces of compromised information including credit cards and social security numbers

REDWOOD CITY, Calif.--(BUSINESS WIRE)--TrustedID, a leading provider of identity management and protection solutions, today announced the first-ever free global service that allows consumers to check a secure database to find out if their personal information has been stolen or compromised. The new service -- StolenID Search -- is powered by the world’s largest aggregation of stolen and compromised data and contains more than 2 million pieces of information. [Where did they get this? Bob]

... StolenID Search will initially cover two types of information: credit cards and social security numbers. Individuals can enter their information into a secure search engine (www.stolenidsearch.com) -- to learn if any of their information has been stolen or compromised.


On the other hand...

http://techdirt.com/articles/20070123/094946.shtml

Identity Theft Search Engine Not Such A Wise Idea

from the look,-there's-me dept

With all of the data breaches that have been in the news lately, it's understandable that many people would like to know if their personal information was part of the lost data (hint: it probably was). To meet this need, a new site is offering a way for users to search a database of social security numbers and credit cards that have been exposed. This seems problematic for several reasons. As some are pointing out, it seems dangerous to get internet users into the habit of submitting their personal data on the internet to anyone but the most trusted sites. Even if this particular site is completely legitimate, its mere existence will probably spawn shadier imitators. Furthermore, because the site also offers anti-identity theft solutions, that require the user to enter in more personal information, its own database is likely to be a juicy target for attackers. And then there's the problem of what the user is to do once they see their social security number in the database. Obviously the site would like people to sign up for its own service, but barring that, there's no obvious next step after someone discovers that at some point their personal data may have been disclosed. While monitoring may be an important tool in combating identity theft, throwing a service out there as a come on for a specific identity theft solution, does not seem like a particularly good idea.



Isn't this what that other King George did?

http://politics.slashdot.org/article.pl?sid=07/01/24/0024258&from=rss

US Attorney General Questions Habeas Corpus

Posted by kdawson on Tuesday January 23, @08:33PM from the exact-words dept. The Courts United States Politics

spiedrazer writes "In yet another attempt to create legitimacy for the Bush Administration's many questionable legal practices, US attorney General Alberto Gonzales actually had the audacity to argue before a Congressional committee that the US Constitution doesn't explicitly bestow habeas corpus rights on US citizens. In his view it merely says when the so-called Great Writ can be suspended, but that doesn't necessarily mean that the rights are granted. The Attorney General was being questioned by Sen. Arlen Specter at a Senate Judiciary Committee hearing on Jan. 18. THe MSM are not covering this story but Colbert is (click on the fourth video down, 'Exact Words')."

From the Baltimore Chronicle and Sentinel commentary: "While Gonzales's statement has a measure of quibbling precision to it, his logic is troubling because it would suggest that many other fundamental rights that Americans hold dear (such as free speech, freedom of religion, and the right to assemble peacefully) also don't exist because the Constitution often spells out those rights in the negative. It boggles the mind the lengths this administration will go to to systematically erode the rights and privileges we have all counted on and held up as the granite pillars of our society since our nation was founded."


Might as well challenge all of those pesky amendments.

http://www.pogowasright.org/article.php?story=2007012406142548

Consent Searches and the Fourth Amendment: What's Wrong With "Apparent" Consent? (commentary)

Wednesday, January 24 2007 @ 06:29 AM CST - Contributed by: PrivacyNews - In the Courts

On January 11, the U.S. Court of Appeals for the Fourth Circuit affirmed a lower court's refusal to suppress a criminal defendant's password-protected computer files. The police had located the files in question during a warrantless search of the defendant's computer, authorized by his wife.

The court found that the wife, on the facts, lacked actual authority to consent to the search in question, but, it determined, because the police reasonably believed that she had had the requisite authority, the search did not violate the Fourth Amendment.

The case provides a useful illustration of why the "apparent authority to consent" doctrine does not keep faith with the protection of privacy guaranteed in the Fourth Amendment.

Source - FindLaw



Attorney Stephen Rynerson an all around smart guy (I mean wise guy – only not in the New Jersey sense)... Anyway, Stephen suggests this video clip might be of interest. He says, “The President and Attorney General are apparently not Andy Griffith fans (it has audio, so turn on your speakers if necessary)”

http://www.youtube.com/v/4CvoC551i2E



Tales of the future?

http://techdirt.com/articles/20070123/123753.shtml

Evidence Of Tremendous Fraud Found In Brazilian E-Voting System

from the no-major-problems,-huh? dept

Just as we point to claims from some think tanks that e-voting works great as is, and things like verifiable paper trails aren't needed, there are reports coming out suggesting that there was a massive amount of fraud in the latest Brazilian elections, which made extensive use of e-voting machines. The reports claim that more than one-third of the e-voting machines used in the state of Alagoas show signs of manipulation.

The number of ballots stored by the machines is less than the number of voters.

Some of the votes apparently come from e-voting machines that don't exist, and

some machines appear not to have registered a single vote.

Are those think tanks going to explain this away as "user error" as well?



Trends...

http://www.technewsworld.com/rsstory/55316.html

Report: Cybercriminals Favor Web Browser Attacks

By Fred J. Aun TechNewsWorld 01/23/07 10:58 AM PT

A new report from global IT security company Sophos says that hackers are moving away from the devious practice of using e-mail attachments as conduits for virus attacks and increasing Web browser attacks. The report also says the United States tops the list of nations having computers that are both spewing e-mail spam and hosting bad Web sites.

Bad news outweighs the good in the new "Threat Report 2007" issued Monday by Sophos, the global IT security company. [Registration required to download Bob]

The good news, which might provide significant hope, is that computer users are finally refraining from opening attachments connected to unsolicited e-mail.

Because of that, according to Sophos, hackers are moving away from the devious practice of using those attachments as conduits for virus attacks. Sophos said it found only one e-mail for every 337 was infected in 2006, while one in 44 were infected in 2005.

Heeding Warnings

The figures prove that repeatedly warning people about something can eventually work, according to Ron O'Brien, a senior security analyst for Sophos.

"The single most effective defense that the public can aspire to is education," O'Brien told TechNewsWorld. "We see that in the e-mail space. The typical user is not as likely to click on an attachment in an e-mail from an unknown source. That's taken a number of years to become a common practice."

The bad news documented in the Sophos report is that the criminals didn't give up. As the effectiveness of infected e-mail declined, the hackers began focusing their nefarious efforts on Web browsers.

... While it's good that people aren't clicking as often on e-mail attachments, the danger posed by clicking on spammed URLs or browsing the Web with unprotected computers is significant. Merely visiting a bad site is all it takes to infect a PC, O'Brien noted. "All you have to do is click on it," he said.

... General Web browsing is becoming more risky, agreed Natalie Lambert, a senior analyst with Forrester Research. "I think malicious code writers are really refocusing their efforts on ways to infect as many computers as possible in the shortest amount of time," she said. "There's a lot of money to be made in creating malware these days."



The debate continues...

http://www.lessig.org/blog/archives/003686.shtml

Paul Heald’s free data about free culture

University of Georgia Professor Paul Heald has been working for a long time to understand the right balance in copyright. He’s got a fantastic new empirical study posted at SSRN that evaluates the effect on access from work passing into the public domain. Recall one argument for extending a copyright term is that it gives the copyright owner incentives to keep old works alive. Heald tests this hypothesis by looking at the availability of best sellers after the pass into the public domain.

The study is interestingly rich, and the conclusions are interestingly contingent. But the bottom line for books is that a work’s passing into the public domain increases access at a lower price. Or put differently: if you want to make sure the classics are preserved, the public domain is a good tool to do just that.

The paper has not been published yet. But consistent with the ideals of science, Heald is making all the data freely available so others can test the hypothesis. The data is being housed at Science Commons just now. So download (paper/data), test, re-test, and see if Heald is right.

One thing’s for sure, however: this is the right way to make scientific knowledge available. Bravo, Professor Heald.



Towards automated lawyers...

http://news.com.com/2100-1030_3-6152761.html?part=rss&tag=2547-1_3-0-5&subj=news

Police blotter: Heirs sue over will-making software

By Declan McCullagh Story last modified Wed Jan 24 06:07:32 PST 2007

"Police blotter" is a weekly News.com report on the intersection of technology and the law.

What: Insurance agent sued for "unauthorized practice of law" after he uses Quicken software to help a 91-year-old woman create a will.

When: Supreme Court of South Carolina rules on January 22.

Outcome: Use of computer software ruled to be "unauthorized practice of law."

What happened, according to court documents:

Ernest Chavis is a South Carolina insurance agent who previously had some business dealings with a 91-year-old woman named Annie Belle Weiss. On July 20, 2004, Chavis visited her and, at some point in the conversation, Weiss asked him "Can you help me make a will?"

Weiss said she was asking because she wanted "someone objective" and told Chavis how she wanted her property divided up. Chavis used Quicken software--apparently Quicken WillMaker or Quicken Family Lawyer--to fill in the blanks and then brought the completed will to her in the hospital. Weiss signed it on July 31, 2004, and died two months later.

What makes this case relevant to Police Blotter is the question of whether Chavis was engaging in the unauthorized practice of law by typing information into the Quicken program.

Beth Franklin and Julianne Franklin, Weiss' grand-nieces, filed a lawsuit contesting her will and claiming Chavis engaged in the unauthorized practice of law, or UPL. Chavis was named as Weiss' personal representative, but not as a beneficiary. (He would be, however, entitled to up to 5 percent of the estate's value under state law because of his duties as personal representative.)

UPL is a remarkably vague concept that has led even some lawyers to refer to state bar associations as "cartels" that act to restrict competition and boost their own incomes.

One scholarly paper, for instance, estimates that bar association cartels inflate attorneys' starting salaries by at least $10,000 and cost consumers more than $3 billion annually in extra fees. The Texas Bar Association has targeted Nolo, a California book publisher that sells self-help books like 8 Ways to Avoid Probate, and tried to ban the sale of Quicken Family Lawyer. Paralegals offering basic services on their own -- even after they had done the identical work at a law firm--have been sued out of business.

To bar associations, UPL is a deadly serious business. As far back as 1941, a Pennsylvania court ruled that "furnishing advice" about the practical issues that wills and insurance policies raise "constitutes the practice of the law."

In this case, too, the Supreme Court of South Carolina took an expansive view of UPL violations. Instead of acting as a mere "scrivener" or stenographer, the court said that Chavis did the work away from the hospital outside of Weiss's presence and was guilty of a UPL violation.

The court did not order that Chavis be removed as personal representative, but did order that he should not receive the customary fee for his work (because, again, it allegedly derived from his UPL offense). The judges did refuse to throw out the will in response to the grand-nieces' requests, concluding "if the July 31 will was in fact drafted pursuant to Ms. Weiss's true wishes, it should not be invalidated simply because it was drafted by a non-lawyer." [So UPL has no real consequence? Bob]

Excerpts from the Supreme Court of South Carolina's opinion:

The preparation of legal documents constitutes the practice of law when such preparation involves the giving of advice, consultation, explanation, or recommendations on matters of law. Even the preparation of standard forms that require no creative drafting may constitute the practice of law if one acts as more than a mere scrivener.

The purpose of prohibiting the unauthorized practice of law is to protect the public from incompetence in the preparation of legal documents and prevent harm resulting from inaccurate legal advice. ("The amateur at law is as dangerous to the community as an amateur surgeon....").

The novel question here is whether respondent's actions in filling in the blanks in a computer-generated generic will constitute the practice of law. Respondent selected the will form, filled in the information given by Ms. Weiss, and arranged the execution of the will at the hospital. Although these facts are not in themselves conclusive, the omission of facts indicating Ms. Weiss's involvement is significant. There is no evidence Ms. Weiss reviewed the will once it was typed. The will was not typed in her presence and although respondent relates the details of what Ms. Weiss told him to do, there is no indication he contemporaneously recorded her instructions and then simply transferred the information to the form.

We construe the role of "scrivener" in this context to mean someone who does nothing more than record verbatim what the decedent says. [This seems key. If you faithfully enter data as instructed, and the software selects options based on that data, the software is practicing law. Bob] We conclude respondent's actions in drafting Ms. Weiss's will exceeded those of a mere scrivener and he engaged in the unauthorized practice of law...



Perhaps Congress will read this before attempting to ban/regulate blogs? Nah.

http://www.bespacific.com/mt/archives/013705.html

January 23, 2007

Study Focuses on Understanding the Political Influence of Blogs

Understanding the Political Influence of Blogs: A Study of the Growing Importance of the Blogosphere in the U.S. Congress, April 2006, by T. Neil Sroka.

  • Abstract: "Using a survey of congressional offices conducted between January and March 2006, I attempt to gain a picture of the readership, usage, and opinion of blogs and blogging on Capital Hill, in order to make the case for blogging’s direct effect on the modern legislative process. I conclude that, although more study is needed to know how blog readership and usage directly impact policy decisions, the high levels of blog readership and the widely held view that blogs function as the “watchdog” of the mainstream media clearly suggest that the blogosphere has a much stronger voice being heard by legislators than previously considered."