Saturday, May 05, 2007

Apparently some facts are leaking out. (Boy, those WSJ guys are good!) Nothing new on the TJC web site since March 28th but someone is talking.

http://techdirt.com/articles/20070504/114216.shtml

Depths Of TJX's Incompetence Continues To Astound

from the leave-the-front-door-open dept

The TJX credit-card data breach -- the largest ever -- was sort of amazing, in that it went on for a few years before it was detected and disclosed. It was established at the outset that the company didn't comply with credit-card companies' strict security guidelines, but a story in today's Wall Street Journal spells out the depths of TJX's incompetence when it came to security. Investigators believe that the hackers used directional antennas to intercept signals sent over the WiFi networks at the company's stores, which were encrypted only with the easily cracked WEP standard, since TJX never bothered to update to WPA. You wouldn't think that would be too much of a problem, because apart from the network being encrypted, the company had installed other layers of encryption and security, right? Wrong. Once the hackers had gained access to the TJX network through a single store, they used keyloggers to get access to the company's central database at its headquarters, and they established their own accounts and the major theft began. Again, TJX made this easier on the crooks by transmitting credit-card data to banks without encryption. [There is an easy solution to this: Don't pay companies for unencrypted records... Bob] Banks continue to see claims from fraudulent activities related to the theft, and they're left holding the bag -- so it's little wonder some of them have sued TJX in hopes of recovering damages. This illustrates one of the biggest problems when it comes to identity theft and data protection: companies responsible for leaks and losses aren't typically the ones that have to deal with or pay for the fallout. For instance, in this case, TJX's financial liability has thus far been limited, and any fines it will have to pay will likely be minimal, despite its ridiculously shoddy security. The company has no incentive to enact better security if it feels no repercussions from a breach, so why should it bother? These misaligned incentives exacerbate the problem, and don't help anyone.

[From the WSJ article: (Well worth a careful read.)

... The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn. [They have traced it back! Bob]

... The $17.4-billion retailer's wireless network had less security than many people have on their home networks, [What is the legal definition of negligence? Bob]

... A person familiar with the firm's internal investigation says they may have grabbed as many as 200 million card numbers all told from four years' records. [TJX announced a “limited number” Bob]

... TJX ... can't crack the encryption on files that the hackers left in its system.

... Banks could spend $300 million to replace cards

... TJX's breach-related bill could surpass $1 billion over five years -- including costs for consultants, security upgrades, attorney fees, and added marketing to reassure customers, but not lawsuit liabilities -- estimates Forrester Research

... The security upgrade alone could cost $100 million

... It says it will also pay for a credit-card fraud monitoring service to help avert identity theft for customers whose Social Security numbers were stolen. [Earlier, it said it would not! Only those whose “drivers' license, military ID or state ID numbers” were taken. In fact, their web site still says that... Bob]

... An auditor later found the company also failed to install firewalls and data encryption on many of its computers using the wireless network, and didn't properly install another layer of security software it had bought.

... The auditor told the company last Sept. 29 [2006 Bob] that it wasn't complying with many of the requirements imposed by Visa and MasterCard, according to a person familiar with the report. The auditor's report cited the outmoded WEP encryption and missing software patches and firewalls.

... Investigators did find traces of the hackers: altered computer files, suspicious software and some mixed-up data such as time stamps in the wrong order. [This supports my contention that their “financial records” have been modified. Doesn't that make their Sarbanes-Oxley certification of “adequate control” rather suspect? Bob]


Interesting interpretation/speculation...

http://weblog.infoworld.com/zeroday/archives/2007/05/wardriving_may.html

May 04, 2007

Wardriving may have started TJX breach

The largest data breach in U.S. history may have started with wardriving, the practice of cruising for vulnerable wireless access points

... If the report is true, it would have an uncanny resemblance to another hack at retailer Lowe's in 2003. In that case, a Michigan man plead guilty to hacking a wireless network at a Lowe's store, then using that access to compromise systems at the company's headquarters and other stores in the U.S.



Security is as security does? “Let us set an example for you!”

http://www.newsday.com/technology/ats-ap_technology10may05,0,4388879.story?coll=ny-technology-headlines

TSA Loses Hard Drive With Personal Info

By MATT APUZZO Associated Press Writer May 5, 2007, 7:54 AM EDT

WASHINGTON -- The Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employees.

Authorities realized Thursday the hard drive was missing from a controlled area at TSA headquarters. TSA Administrator Kip Hawley sent a letter to employees Friday apologizing for the lost data and promising to pay for one year of credit monitoring services.

... TSA said it has asked the FBI and Secret Service to investigate and said it would fire anyone discovered to have violated the agency's data-protection policies. [No doubt that will encourage cooperation... Bob]

In a statement released Friday night, the agency said the external -- or portable -- hard drive contained information on employees who worked for the Homeland Security agency from January 2002 until August 2005.

... The agency added a section to its Web site Friday night addressing the data security breach and directing people to information about identity theft.

Rep. Sheila Jackson Lee, D-Texas, whose Homeland Security subcommittee oversees the TSA, promised to hold hearings on the security breach. She said Homeland Security buildings are part of the critical infrastructure the agency is charged with protecting.


[Related: http://www.tsa.gov/press/happenings/050407_statement.shtm

Public Statement on Employee Data Security Incident



Always worth a quick read. I'll quote only one example...

http://www.pogowasright.org/blogs/dissent/?p=342

Data “Dysprotection” Weekend Roundup for Week Ending May 6th

(update 1) Friday May 04th 2007, 3:12 pm

Filed under: Privacy, Children or Students, Identity Theft, Data Protection

... The GAO issued a report on lessons learned from the May 2006 VA breach involving 26.5 million vets. Surprisingly (to me, anyway), their appendices listed other breaches that I had never seen reported in the media, including the Farm Services Agency, the Marines, the National Center for Education Statistics, and Health and Human Services Centers for Medicare & Medicaid Services. Another half a million or so to add to the counters.



We need a bigger government! No one else would pay us to write such fluff!” (Looks like they've been writing for the entire seven years. The executive summary is 37 pages long!)

http://news.com.com/8301-10784_3-9716077-7.html?part=rss&subj=news&tag=2547-1_3-0-5

After seven years, government data-regulation committee recommends new federal bureaucracy

Posted by Declan McCullagh May 4, 2007 2:02 PM PDT

MONTREAL -- Remember the fable about the scorpion and the frog? The scorpion can't help himself from stinging the frog: "I could not help myself. It is my nature."

Keep that in mind when reading a new 400-page government report from the National Research Council, which is called "Engaging Privacy and Information Technology in a Digital Age" and has been in the works for seven years.

... The NRC report says the United States should follow the European model of creating Yet Another Federal Bureaucracy (YAFB)

... To wit: "The committee recommends... that a national privacy commissioner or standing privacy commission should be established to provide ongoing and periodic assessments of privacy developments."

The report isn't listed on the home page of the National Academies Press Web site or the site of the Computer Science and Telecommunications Board, which actually organized the committee that created it. But if you poke around, you can find it and the executive summary on their site.

... The so-called Privacy and Civil Liberties Oversight Board has been mostly useless. In fact, a YAFB for privacy could be actively harmful in two ways: First, its bureaucrats would have a strong incentive to expand their own power and budget by inventing new and economically onerous ways to impose unnecessary data collection and use regulations on private firms. Second, by endorsing harmful government privacy practices, it would provide a useful political shield for future administrations.


Colorado didn't need seven years!

http://www.rockymountainnews.com/drmn/editorials/article/0,2777,DRMN_23964_5519299,00.html

Inviting ID fraud

Ritter should reject weakening of identification standards

May 4, 2007

Gov. Bill Ritter has the chance to prevent Colorado from retreating in the battle against identity theft and fraud: He should veto House Bill 1313.

... To be sure, HB 1313 would eliminate some ambiguities in the current law. But it would also gravely weaken the standards for obtaining state IDs. This could invite rampant identity fraud.



Fear is a fearful thing.

http://www.newstimeslive.com/news/story.php?id=1048610

Prom night includes breath test

"The school is afraid of drunk-driving accidents. Prom is a notorious time for that to happen." Jason Mix Brookfield High junior

By Heather Barr THE NEWS-TIMES BROOKFIELD -- Red light. Green light. May 04 2007 9:15 AM

Parents may give students the green light to drive to the prom, but if they get a red light at the door, they won't get in and they won't be driving themselves home.

For the first time, the Brookfield school district will make every student attending the junior prom use a passive breath device, a 4-inch-by 2-inch hand-held box held front of their face as they count aloud.

... More Connecticut high school students drink at school than the national average. Alcohol testing is increasing both nationally and in the region.

The device is meant to be "non-intrusive," said Brookfield High School principal Bryan Luizzi.

He said it works when a person speaks in front of it. If the light on the device stays green, the student can go into the dance. If it turns red -- showing the device has detected alcohol molecules -- the student will be asked to step aside and sit for 15 minutes.

After that wait, he or she can take the test again, in case the device was wrong -- say, detecting alcohol molecules from mouthwash. [If it correctly detect alcohol, how is it wrong? I recommend all students come to the prom with bad breath! Bob]

... "We don't use this to catch anybody," [Have you have been drinking, sir? If you don't want to catch anyone, why use the devices? Bob] said Luizzi of the breath devices.

... Using breath devices is something school officials and the Board of Education have discussed for a couple of years, but school officials decided to purchase six of them two months ago because the cost became affordable, said Luizzi. [We can. Therefore we must! Bob]



Virtual Lawyers take note! I think it is time to finish my book on “Virtual Philosophy”

http://yro.slashdot.org/article.pl?sid=07/05/04/1525222&from=rss

Is Virtual Rape a Crime?

Posted by ScuttleMonkey on Friday May 04, @12:33PM from the because-/quit-is-so-hard-to-type dept. The Internet

cyberianpan writes "Wired is carrying commentary on the story that Brussels police have begun an investigation into a citizen's allegations of rape in Second Life. For reasons of civil liberty & clarity we'd like to confine criminal law to physical offenses rather than thought crimes but already threats, menace & conspiracy count as crimes. Could we see a situation where our laws extend?"



This should be very interesting!

http://www.infoworld.com/article/07/05/04/California-county-to-share-data-in-evoting-suit_1.html?source=rss&url=http://www.infoworld.com/article/07/05/04/California-county-to-share-data-in-evoting-suit_1.html

California county to share data in e-voting suit

Alameda County will share the data from its e-voting machines as part of a lawsuit brought against the county charging failure to properly disclose the required data

By Robert Mullins, IDG News Service May 04, 2007

In a case that illustrates the technological and legal uncertainties about electronic voting, a California county has agreed to share data stored on computer voting machines in a disputed election.

The deputy counsel for Alameda County revealed in a state court hearing Friday in Oakland that it has tracked down 307 of 420 voting machines [The others are in the hands of the Democrats/Republicans Bob] that may [Must? Bob] still contain vote tabulations from a disputed 2004 election in Berkeley, California.

... State Superior Court Judge Winifred Smith ruled a month ago that the county violated state election laws by not sharing voting records that could verify whether the election results were accurate with the plaintiffs.

... Despite a recount being sought in December 2004, Alameda County sent back to Diebold Systems the electronic voting machines it used without downloading election results from flash memory chips on each of the machines.


Ditto

http://news.com.com/2100-1028_3-6181552.html?part=rss&tag=2547-1_3-0-5&subj=news

Scottish e-counting under scrutiny in election mess

By Julian Goldsmith Story last modified Fri May 04 13:11:52 PDT 2007

Scotland's Electoral Commission is undertaking a full review of its elections, with the electronic-counting process, ballot rejection and voting via mail all under scrutiny.

The commission said "e-counting" in the recent election had worked well in a number of areas, adding that where counts have been completed, the results are accurate and final. [Are they suggesting that some “computer counts” have not yet been completed? Bob]

But it said "serious technical failures have arisen to delay the announcement of results" [Didn't you just announce that the results are suspect? Bob] in various areas, adding: "We share the public's concern about the high number of rejected ballot papers." According to a BBC report, seven vote counts were suspended and up to 100,000 ballot papers were spoiled.



Research?

http://www.bespacific.com/mt/archives/014773.html

May 04, 2007

GPO and SMU Offer Digital Collection of World War II Publications

Press release: "As the world pauses to remember the 62nd anniversary of the Allies' victory in Europe during World War II (May 8, 1945), the U.S. Government Printing Office (GPO) is joining with Southern Methodist University (SMU) Central University Libraries to provide the public with a digital collection of more than 300 U.S. Government publications distributed during the course of the war...SMU Central University Libraries, which are part of GPO's Federal Depository Library Program (FDLP), have digitized hundreds of historical World War II publications that are available to the public. With just a few keystrokes, Americans can access World War II reports and documents such as: Choosing Women for War - Industry Jobs, America's Biggest War Plant and Air Raid Shelters in Buildings.

These documents and many others are accessible here."

Friday, May 04, 2007

This is a follow-up on the “financial records in a dumpster” story, so I almost missed the bit about the tape...

http://www.allheadlinenews.com/articles/7007219432

J.P. Morgan Probes Alleged Data Breach

May 2, 2007 6:30 a.m. EST Geoffrey Ramos - AHN Staff Writer

New York, NY (AHN) - J.P. Morgan Chase has started a probe into allegations by a large workers union that documents containing financial information of its customers has been accidentally thrown in the trash in five of its branch offices in New York.

The financial services company is also sending out letters to its Chicago-based customers, informing them of a potential compromise of their data after a tape containing the data went missing.

... Meanwhile, J.P. Morgan has started informing some 47,000 customers and employees in the Chicago area about a possible loss of their personal data. A disk containing data from J.P. Morgan's private-client services business was reported missing from an off-site storage facility late last year.



We just don't know...

http://www.baltimoresun.com/news/local/politics/bal-dnrstory0503,0,5558174.story?coll=bal-home-headlines

DNR names, Social Security numbers are missing

Union calls on state to act after information on 1,400 workers likely lost

By Candus Thomson Sun Reporter May 3, 2007, 11:55 AM EDT

The union representing Department of Natural Resources law enforcement officers wants the state to pay for several months of credit checks after learning that a thumb drive with the names and Social Security numbers of about 1,400 employees has been lost.

The miniature computer storage device, used by an employee of the agency's Information Technology unit to take work home with him, was reported missing about a week ago, said Eric Schwaab, DNR deputy secretary.

The thumb drive held information about Natural Resources Police officers and Maryland Park Service rangers dating back to the 1970s.

"It's quite disturbing to our members. No one, to my knowledge, knows what really happened. Was it lost, stolen, misplaced? No one has told us," said Ed Eicher, president of the State Law Enforcement Officers Labor Alliance.

... Those whose information was lost were told of the security breach by telephone [Wow, 1400 phone calls! Bob] and were given written updates, Schwaab said.

... As a result of the incident, the DNR is reviewing its security policy. Schwaab said he could not talk about whether the employee was disciplined, citing state personnel rules. [How could “Yes, he was disciplined.” have any privacy implications? Bob]



Quote du jour: "Thinking... is sometimes an afterthought." (Sounds like Yogi Berra)

http://media.www.lsureveille.com/media/storage/paper868/news/2007/05/03/News/Stolen.Laptop.May.Hold.Id-2892874.shtml

Stolen laptop may hold ID numbers

Delays follow in notification of theft

By: Leah Square Posted: 5/3/07

An Information Technology investigation has revealed that a laptop stolen from a faculty member's Baton Rouge home may contain personally identifiable information for about 750 University students.

But University officials released a notification letter to potentially affected students April 15 - more than 10 days after receiving news of the theft. The faculty member notified University officials April 4, but officials did not contact LSUPD.

The laptop is owned by the E.J. Ourso College of Business, and may have included students' Social Security numbers, full names and grades, according to a notification letter The Daily Reveille obtained Tuesday. The letter was signed by Brian Nichols, chief IT security and police officer, [IT security is handled by the cops not just some entry level IT guy! Bob] and Robert Sumichrast, dean of the E.J. Ourso College of Business.

... "People aren't necessarily aware of what they've got on their computers," Thompson said. "Thinking about what was lost on the computer is sometimes an afterthought."

... Thompson said the University is moving to eliminate Social Security numbers from all systems and databases, but "cleaning up" all University venues for possible theft will take years.



Mere hundreds...

http://abclocal.go.com/ktrk/story?section=local&id=5268451

Students' personal information posted on campus computers

(5/03/07 - KTRK/CONROE, TX) - There is a warning for hundreds of students at Montgomery College. You may be at risk for identity theft.

The discovery was made by students at the campus just outside of Conroe. Students found a list of all graduating seniors on a computer drive that is publicly accessible on all campus computers.

On that list of names was also personal and sensitive information, including social security numbers and addresses. School officials say it was posted on the public shared drive accidentally by a new employee, who has now been disciplined.



Laptops aren't the only thing people steal... Would be more amusing if it was an inside job?

http://www.vnunet.com/vnunet/news/2189126/prison-keys-sold-ebay

Prison keys sold on eBay

Quick lock change in order after security slip

Iain Thomson, vnunet.com 03 May 2007

A US prison is undergoing emergency lock changes after the keys to some of its doors appeared on eBay.

Keys to the Anamosa State Penitentiary in Iowa were spotted on eBay by prison guards. They came from a locksmith at the prison who retired in 1974 and died two years later. [In all those years, no one thought to change the locks? Bob]

...The medium security Anamosa State Penitentiary is home to about 1,250 inmates. [About? Bob]



Another cost...

http://www.9wsyr.com/content/news/your_stories/story.aspx?content_id=17b206d7-6cc1-4068-9b8d-25917c4edc1a

Your Stories Tracker: Credit Card Change

Last Update: May 2, 2007 4:46 PM

Syracuse (WSYR-TV) - We have a Your Stories Tracker about the continued fall out from the credit card information breach at retailers TJ Maxx and Marshalls.

In response to the news that millions of customers' credit and checking account information may have been stolen, many credit card companies sent members new credit cards, with new account numbers.

But customers are now finding that any automatic payments that were linked to their accounts did not transfer over when the new number was issued.

So, lots of people have been defaulting on bills they thought were automatically going to their credit cards.

We contacted HSBC about the problem. They tell us any customer who's charged a late fee should explain the situation to the merchant, to try and get the late fee removed.



This seems logical – what am I missing? Sounds like a slam dunk lawsuit to me!

http://techdirt.com/articles/20070503/112537.shtml

FCC Tells Phone Companies You Can't Arbitrarily Block Calls To Numbers You Don't Like

from the awfully-quiet-about-it dept

A few months back, telcos like AT&T and Sprint started blocking calls to various free conference call lines based in Iowa. As we had explained earlier, these systems were basically abusing bad regulations in Iowa, forcing telcos to pay them a lot of money for every incoming call. Even so, it seemed questionable that telcos could arbitrarily block who customers could call. It certainly echoed some of the concerns about network neutrality, where ISPs conceivably could block what sites users could visit. Based on all of this, it was somewhat surprising that the FCC didn't get involved. Eventually, however, the telcos backed down. We had assumed it was a combination of the bad publicity over the blocked calls (even if the Iowa telcos involved seriously overhyped the importance of being able to scam bigger telcos through regulatory loopholes) and the fact that the FCC was finally holding meetings on the issue. However, earlier today, FCC Chair Kevin Martin admitted that the FCC quickly called the big telcos in question to let them know, in no uncertain terms, that this was a violation of FCC rules. In fact, he claims that a week after the big telcos backed down, the FCC discovered that at least one was still somehow limiting or degrading calls to those Iowa numbers -- and the FCC contacted the telco again to tell them that this was not allowed. It's good to know that the FCC took this seriously (especially since it's one of the few times that it seems to have gone against the wishes of its good friends in the telco industry). It's still odd that the FCC didn't make any public announcement about this to make it abundantly clear to others not to go down this route. Perhaps Martin wanted to save his friends from some embarrassment. In the meantime, can anyone explain why no one is changing the silly regulations to get rid of the ridiculous and unnecessary fees to these Iowa telcos?



So why did they spend all that time and money?

http://techdirt.com/articles/20070503/091946.shtml

After Getting Shut Out Of Google, Belgian Newspapers Agree To Do What They Should Have Done In The First Place

from the took-you-long-enough dept

Google and a group of Belgian newspapers have settled part of their ongoing dispute, in which the papers alleged Google was violating their copyright by linking to their sites. In particular, they alleged that Google's caching of articles -- articles they charge people to read after a certain time -- was illegal. They could have, of course, just used either a robots.txt file or meta tags to control how Google indexed and cached their content, but they felt a lawsuit was a preferable course of action (since the dispute likely had little to do with copyright, and more to do with money). Given that, it's a little odd to see the papers now agreeing to use the "noarchive" tag so they can get back in Google search results. As Danny Sullivan points out, it's hard to see this as anything other than a victory for Google. While its appeal of the court case carries on, it would appear that Google's removal of the newspapers from its site -- in accordance with a court order -- illustrated to the newspapers how much free traffic Google sent them, and how much better off they are with it. Unlike in a similar, earlier case with the AFP news agency, Google hasn't had to cough up any cash or enter a licensing agreement with the Belgian papers -- but again, as Sullivan points out, removing the Belgian papers from its index was far simpler for Google than removing newswire content that gets republished across a wide range of sources. it's also far easier for each paper to measure the impact of their removal, whereas the removal of AFP's stories wasn't felt by the AFP itself, but rather by its customers. It's nice to see the Belgian papers come to their senses; hopefully the courts there will soon follow.



Maybe because I like science fiction?

http://it.slashdot.org/article.pl?sid=07/05/03/2031218&from=rss

The Internet of Things - What is a Spime?

Posted by CmdrTaco on Thursday May 03, @04:59PM from the sounds-like-it-would-taste-sour dept. The Internet IT

CoolVibe writes "From the abstract in the talk: "World-renowned Science Fiction writer and futurist Bruce Sterling will outline his ideas for SPIMES, a form of ubiquitous computing that gives smarts and 'searchabiliity' to even the most mundane of physical products. Imagine losing your car keys and being able to search for them with Google Earth." It's a very interesting lecture given by Bruce Sterling about something we might see in the near future. The lecture can be viewed here on Google Video."



Oooh! I want one!

http://yro.slashdot.org/article.pl?sid=07/05/03/2333244&from=rss

RFID Guardian Protects Your Privacy

Posted by CowboyNeal on Thursday May 03, @08:18PM from the don't-look-at-me dept. Privacy Technology

An anonymous reader writes "A new device devised by Amsterdam graduate student Melanie Rieback is designed to serve as a portable firewall for RFID tags. The portable battery-powered RFID Guardian uses an access control list to filter RFID queries, blocking queries that aren't approved. Rieback, who is also known for being the first researcher to develop a proof of concept RFID virus, hopes to offer version 3.0 of the RFID Guardian to the public at cost."



Research. Can't find what you want? Perhaps you need to shop around...

http://digg.com/tech_news/Top_100_Alternative_Search_Engines_of_2007

Top 100 Alternative Search Engines of 2007

I have spent a month - since the March update - scouring the World Wide Web for any brand new Search Engines or ones that might have been missed. Several alternative search engines have been added directly from readers' comments to the last list. And several readers suggested a new category: Charity Search Engines; so that category has been added.

http://www.readwriteweb.com/archives/top_100_alt_search_engines_april07.php?2



Keep an extra close watch on the “diverse” ones!

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1250974,00.html?track=sy320

Employee profiling: A proactive defense against insider threats

Joel Dubin 05.03.2007

They might seem like normal employees, working away quietly like everybody else. But they're not. They're criminal insiders, using their privileged positions inside companies everywhere to access and steal confidential data or cause mayhem on the company's IT systems.

How can organizations protect themselves against these miscreants? How can enterprises weed out, let alone find, malicious insiders in their midst?

One way might be to build a profile of corporate turncoats. Once singled out, they can be scrutinized more closely than other employees. However, before starting an employee profiling program, there are three key questions to ask: What is the profile of a criminal insider? Is it legal or appropriate to single out suspected thieves? Is there a clever technical solution -- such as identity and access management -- to stop corporate sabotage without the fuss and hazards of profiling?



Urge all you want, there's money to be made...

http://www.thecrimson.com/article.aspx?ref=518748

Prof Urges Internet Search Purges

Working paper calls for search engines to delete Internet activity records

Published On 5/3/2007 3:03:16 AM By BERYL C.D. LIPTON Contributing Writer

Big Brother could be watching you online.

That’s what one Kennedy School associate faculty member cautioned yesterday, calling for a change in the way that internet activities are monitored and recorded.

In “Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing,” Associate Professor of Public Policy Viktor Mayer-Schoenberger argued for computer systems to regularly delete information, a practice he calls “data ecology.”

... “The notion of limiting the time that [personally identifyable information] is collected and maintained about individuals should be the subject of government consideration.”

[Read the paper at:

http://ksgnotes1.harvard.edu/Research/wpaper.nsf/rwp/RWP07-022/$File/rwp_07_022_Mayer-Schoenberger.pdf



...and the first country to Ubiquitous Surveillance (Orwell was an optimist.)

http://www.thisislondon.co.uk/news/article-23394907-details/Council%20recruits%20spy%20plane%20in%20war%20on%20residents%20who%20waste%20energy/article.do

Council recruits spy plane for war on residents who waste energy

03.05.07

Every home in a London borough has been photographed from a spy plane as council bosses focus on residents wasting energy.

Haringey Council in north London is the first local authority in the UK to compile a heat map which can pinpoint how much energy is escaping from each property.

Councillor Isidoros Diakides, Labour's executive member for housing, said: "This single study will play a key role in helping us address three of the biggest issues currently facing Haringey - climate change, fuel poverty and housing waiting lists." [Huh? Bob]

But the move was slammed by Justin Hinchcliffe, of Haringey Conservatives.

He said: "Given that the council cannot even keep the streets clean, we're amazed that they've launched this project.

... Robert Wilkes, 39, boss of map suppliers hotmapping.co.uk, rejected any suggestion it was an intrusion into people's privacy along the lines of satellite imaging service Google Earth.

... The mapping took place seven years ago in 2000 but Haringey, which has spent £21,000 on the study, is understood to have now commissioned a 2007 update.

... It will also help identify empty properties to be used for housing.



How else should you learn Virtual Law?

http://www.eff.org/deeplinks/archives/005238.php

Virtual Classes on Cyberlaw

May 03, 2007

Learn cyberlaw without leaving cyberspace through the State of Play Academy. The Academy offers free classes through the virtual world There.com. The Spring Semester has already started, and runs through June 8.

The virtual classes will teach you the sort of fascinating stuff your real college never gets around to offering, like "Claims of Copyright Misuse based on First Amendment Interests," "The Viacom-Youtube Lawsuit," and "Election 2008 and the Remix Culture." EFF staff attorney Kevin Bankston is signed up to teach a class called "Every Move You Make: Location Tracking and the Law."

More information, including how to log on and participate in SOPA classes at: stateofplayacademy.com.



Maybe they should have outsourced/offshored this in the first place... Imagine computers as “stocking stuffers” by Christmas.

http://hardware.slashdot.org/article.pl?sid=07/05/04/048259&from=rss

India Hopes to Make $10 Laptops a Reality

Posted by CowboyNeal on Friday May 04, @02:55AM from the but-how-much-in-rupees dept. Portables The Almighty Buck

sas-dot writes "We all know Nicholas Negroponte's $100 OLPC. [Last cost I've seen is $145 Bob] India, which was a potential market, rejected it. India's Human Resources Development ministry's idea to make laptops at $10 is firmly taking shape with two designs already in and public sector undertaking Semiconductor Complex evincing interest to be a part of the project. So far, the cost of one laptop, after factoring in labor charges, is coming to $47 but the ministry feels the price will come down dramatically considering the fact that the demand would be for one million laptops."



The return of Chad?

http://www.bespacific.com/mt/archives/014762.html

May 03, 2007

Florida Moves to Paper Ballots for 2008 Presidential Election

Press release: "In a historic vote, the Florida House today unanimously passed CS/HB 537, already passed in the Senate, that provides almost all voters paper ballots in time for the 2008 Presidential election, and bans paperless DREs [direct-recording electronic voting machines], and bans paperless DREs outright by 2021."



Gosh, does this suggest that politicians don't understand technology, or have a clue how to project cost/revenue? How shocking!

http://techdirt.com/articles/20070503/013158.shtml

'Don't Spam Kids' Registry A Financial Disaster For Utah

from the nice-work dept

Michigan and Utah got some attention a couple years ago for each passing utterly pointless laws requiring spammers to remove email addresses of children. This seemed ridiculous for a variety of reasons, with the first among them being that, if anything, this kind of list seemed to put children's email addresses at an even greater risk. Eric Goldman has taken a deeper look at the Utah law and discovered a variety of other problems with it. He notes that, despite assurances that it was impossible that email addresses could be leaked from the registry, email addresses were leaked from the registry. However, the bigger point he makes is that the laws have been a huge financial disaster for Utah -- and more specifically, its taxpayers.

First, he points out that since the law clearly wouldn't stop any spam for children, the real purpose of the law was a secret email tax. The way the law is set up, firms need to pay a fee in order to compare their lists with the registry, and Utah in particular was apparently expecting $3 to $6 million in revenue. Instead, they've actually brought in $187,224. On top of that, the company that Utah has hired to run the registry, Unspam (who had also insisted it was impossible to leak the email address) gets to keep 80% of the revenue -- meaning Utah has received a grand total of $37,445 -- significantly less than expected, and not nearly enough to cover additional expenses created by the law. And it gets worse. The next part isn't entirely clear, but an expensive lawyer (who happens to be the son of Utah Senator Orrin Hatch) was hired by Unspam to defend the already questionable law in court -- but after the company felt it had spent too much, it appears to have handed the bill over to the state. So now Utah taxpayers are paying for this lawyer to defend their bad law -- and the lawyer makes many times what a state lawyer actually makes.

By the way, if the name Unspam sounds familiar to you, that's because it's the company that got a bunch of press last week for trying to sue a bunch of spammers for $1 billion. It was a case that got plenty of press, but seemed woefully short on details. Perhaps Unspam is simply looking to make up for lost time in getting Utah the money its CEO insisted the state would get if it passed the "don't spam kids" law and (of course) put his company in charge of running it. Oh, and it gets better. The recent ridiculous law to ban trademarked keyword advertising in Utah also just so happens to have come from this same CEO, who later defended the law on a blog, without mentioning his vested interest in it.



Tools & Techniques for hackers...

http://franticindustries.com/blog/2007/05/03/how-to-access-pandora-from-outside-the-us/

How to: access Pandora from outside the US

Published by Stan Schroeder May 3rd, 2007 in News, Tips Tags: anonymous browsing, hacks, News, Pandora, tips.

I’m not an avid Pandora user. Personally, I like Last.FM better. But it angers me when I see that such a great service will now be unavailable for users outside of the US. TechCrunch has the details, as well as a facsimile of the letter sent to Pandora’s international users.

Of course, I don’t blame Pandora for this: they’re just complying with the US (and international) laws and regulations.

I blame the laws and regulations.

In any case, this is the Internet, and it’s easy to be a hacker nowadays, so here’s a couple of services you can use to access Pandora from wherever you are (btw, Pandora still works for me although I’m from Croatia; I guess they haven’t covered all the IP ranges just yet):

Thursday, May 03, 2007

A wise man learns form other peoples' mistakes!

http://hardware.slashdot.org/article.pl?sid=07/05/02/1215200&from=rss

Tech Magazine Loses June Issue, No Backup

Posted by CmdrTaco on Wednesday May 02, @08:43AM from the happens-to-everyone dept. Data Storage Hardware

Gareth writes "Business 2.0, a magazine published by Time, has been warning their readers against the hazards of not taking backups of computer files. So much so that in an article published by them in 2003, they 'likened backups to flossing — everyone knows it's important, but few devote enough thought or energy to it.' Last week, Business 2.0 got caught forgetting to floss as the magazine's editorial system crashed, wiping out all the work that had been done for its June issue. The backup server failed to back up."



Manage your own message. Volunteers can help, suggest, propose, but NEVER control the message.

http://politics.slashdot.org/article.pl?sid=07/05/02/1453214&from=rss

Obama's MySpace Drama

Posted by CmdrTaco on Wednesday May 02, @12:02PM from the highway-robbery-i-won't-pay-it dept. Democrats Politics

fistfullast33l writes "TechPresident, which is covering the use of technology by Presidential Campaigns for 2008, has a very interesting article on how Obama's MySpace page is currently the subject of an underground battle for control by the campaign itself and the volunteer who created it in 2004. Joseph Anthony worked with the campaign initially and grew the site to include over 160,000 unsolicited friends that the campaign could use to reach out to. It currently is the main Obama page in the Impact Channel on MySpace. However, as Obama's campaign became more centralized and formal, the decision was made to attempt to acquire control of the site from Anthony. They asked him for a price, which he offered up as $49,000 plus part of the $10,000 fee paid to MySpace for the Impact Channel. Obama balked at the price, [How about a nice Ambassadorship, like everyone else gets” Bob] and decided to start afresh rather than pay the money. The fight broke out into the open when Anthony posted a response on his blog to rumors that the campaign was spreading regarding him wanting to cash out. MyDD has more."



Certain to become a big legal area...

http://yro.slashdot.org/article.pl?sid=07/05/03/0215252&from=rss

Australian Teachers Try To Shut Down Website

Posted by samzenpus on Wednesday May 02, @11:51PM from the teachers-leave-them-kids-alone dept. Censorship

DeathElk writes "New South Wales teachers are attempting to have a website based in the United States closed down due to "defamatory" content. The site in question encourages students to rate teachers at their school, which obviously results in some colorful content. Now the story has hit the media, with some insightful quotes such as "The president of the NSW Secondary Principals Council, Jim McAlpine, said the Federal Government should block access to 'scurrilous American websites'."


...and the flip[ side...

http://techdirt.com/articles/20070502/200120.shtml

Music Industry Continues To Shoot Self In Foot; Forces Pandora To Block Non-US Listeners

from the nice-work dept

It's really depressing to watch the recording industry so consistently shoot itself in the foot, focusing on capturing every immediate dollar, rather than recognizing the ability of using music as free promotion to build up the size of their market. The latest case is that Pandora.com, a popular streaming music recommendation service (which is already facing some challenges due to the new webcaster rates) is being forced to block all non-US users of its service. This is because the recording industry wants Pandora to sign separate licensing deals in every country where it has listeners -- a nearly impossible task. Anyone who's used Pandora for more than about five minutes realizes what a great service it is for the entire recording industry. It really does a good job of recommending new music to listeners -- the type of new music that fits in with what they like, and that they're much more likely to support with money. However, rather than recognizing the numerous ways that Pandora can grow their overall market, the recording industry has to shut it down since it won't pay them even more than they're already being paid. This harms the recording industry in numerous ways, and it's amazing they haven't figured that out yet.



Reading...

http://www.pogowasright.org/article.php?story=20070502105411922

Privacy Law Professor Concludes Forwarding of Private Email Without Permission Violates Rights (press release)

Wednesday, May 02 2007 @ 10:54 AM CDT - Contributed by: PrivacyNews - Internet & Computers

In a major article examining the strength of legal arguments to protect private e-mail expression, a University of Arkansas law professor concludes that, based on the historical common law, today’s Federal Copyright Act does not protect someone from copying and distributing another person’s private expression, which means that forwarding e-mail without permission of the sender may be against the law.

.... Snow’s article will be published this summer in Volume 55 of the Kansas Law Review. It may be downloaded at http://ssrn.com/abstract=981729.

Source - Newswise


More reading...

http://www.links.org/files/selective-disclosure.pdf

Selective Disclosure

Ben Laurie (benl@google.com) May 2, 2007

Abstract Digital signatures are widely used on the Internet. One application is in identity management, where they may be used to authenticate (that is, prove identity or entitlement) or to make verifiable assertions (e.g. “this person is over 21” or “this person is a UK citizen”). However, traditional digital signatures have implications for privacy – these can be addressed by zero-knowledge and selective disclosure proofs. This paper explores both the need for and the properties of selective disclosure proofs.


...and still more reading (research tool?)

http://www.publictechnology.net/modules.php?op=modload&name=News&file=article&sid=9033

Briefing: on Privacy Enhancing Technologies (PETs)

Articles / eGovernment news & analysis from the EU Date: May 03, 2007 - 07:55 AM

... The use of PETs can help to design information and communication systems and services in a way that minimises the collection and use of personal data and facilitate compliance with data protection rules. The use of PETs should result in making breaches of certain data protection rules more difficult and/or helping to detect them.

Several examples of PETs can be mentioned here.

> Automatic anonymisation after a certain lapse of time support the principle that the data processed should be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the data were originally collected.
>
Encryption tools prevent hacking when the information is transmitted over the Internet and support the data controller's obligation to take appropriate measures to protect personal data against unlawful processing. .
>
Cookie-cutters blocking cookies placed on the user's PC to make it perform certain instructions without him being aware of them, enhance compliance with the principle that data must be processed fairly and lawfully, and that the data subject must be informed about the processing going on.
>
The Platform for Privacy Preferences (P3P), allowing internet users to analyze the privacy policies of websites and compare them with the user's preferences as to the information he allows to release, helps to ensure that data subjects' consent to processing of their data is an informed one.
...
Further information on European research on PETs

European research projects in this field are funded as part of the Information Society Technologies (IST) programme - at this link
Examples of significant IST research projects in this field:
Project PRIME: developing solutions for solutions on privacy-enhancing identity management - at this link
Project FIDIS: developing new ways for identifying individuals, eg so-called virtual identities, embodying concepts such as pseudonymity and anonymity, - at this link
Related links to this article:
European Commission
European Data Protection Supervisor



Good question...

http://news.com.com/8301-10784_3-9715032-7.html?part=rss&subj=news&tag=2547-1_3-0-5

Bloggers and podcasters get their own magazine

Posted by Daniel Terdiman May 2, 2007 11:05 AM PDT

... The magazine, which features famous blogger and podcaster Robert Scoble on the cover, has a Web site, of course, on which most of its content will be available for free. And it also has a free podcast edition. Why anyone would pay $79 for a subscription to the print magazine is not entirely clear.


Related (Note to law students: This could serve as the basis of a “Legal Guide for Bloggers”)

http://www.avivadirectory.com/blogger-law/

12 Important U.S. Laws Every Blogger Needs to Know

May 1st, 2007



This is a joke, right? Is America about to swap religions?

http://www.bloomberg.com/apps/news?pid=20670001&refer=us&sid=afIESX3LdgnQ

California Hotels Go Green With Low-Flow Toilets, Solar Lights

By Ari Levy and Carole Zimmer

April 27 (Bloomberg) -- Visitors to the Gaia Napa Valley Hotel and Spa won't find the Gideon Bible in the nightstand drawer. Instead, on the bureau will be a copy of ``An Inconvenient Truth,'' former Vice President Al Gore's book about global warming.



Now here's a class project I'd like to supervise. Build a brewery, and turn the waste into electricity! (and turn the beer over to the professor!) How's this for an Al Gore campaign slogan: A brewery in every home!

http://science.slashdot.org/article.pl?sid=07/05/02/2241250&from=rss

The 660 Gallon Brewery Fuel Cell

Posted by samzenpus on Wednesday May 02, @08:48PM from the drinking-electricity dept. Power Science

An anonymous reader writes "Australia's University of Queensland has secured a $115,000 grant for a 660-gallon fuel cell that should produce 2 kilowatts of power. A prototype has been operating at the university laboratory for three months. This fuel cell type is essentially a battery in which bacteria consume water-soluble brewing waste such as sugar, starch and alcohol, plus in this instance produces clean water."



Get your word out...

http://www.pmwatch.org/pmw/contact/media.asp

Media contact information



Geek stuff Security Tools & Techniques

http://blogs.zdnet.com/storage/?p=129

May 1st, 2007

How to REALLY erase a hard drive

Posted by Robin Harris @ 8:44 pm Categories: Uncategorized

... Something called Secure Erase, a set of commands embedded in most ATA drives built since 2001.

... Secure Erase overwrites every single track on the hard drive. That includes the data on “bad blocks”, the data left at the end of partly overwritten blocks, directories, everything. There is no data recovery from Secure Erase.

Says who?

The National Security Agency, for one. And the National Institute for Standards and Testing (NIST), who give it a higher security rating than external block overwrite software that you’d have to buy. Update: There is an open source external block overwrite utility called Boot and Nuke that is free.

Secure Erase is approved for complying with the legal requirements noted above.

UCSD’s CMRR to the rescue

The University of California at San Diego hosts the Center for Magnetic Recording Research. Dr. Gordon Hughes of CMRR helped develop the Secure Erase standard.

Download his Freeware Secure Erase Utility, read the ReadMe file and you’re good to go.