As we were told...
http://www.pogowasright.org/article.php?story=20071130025635744
(follow-up) Banks denied class status against TJX
Friday, November 30 2007 @ 02:56 AM EST Contributed by: PrivacyNews News Section: Breaches
In a legal victory for TJX Cos., a federal District Court judge in Boston yesterday told banks suing the Framingham retailer for damages following its massive data breach that they cannot pursue their claims as a class.
Technically, Judge William G. Young's decision to deny class certification does not end the claims against TJX by banks that want the parent of stores including TJ Maxx and Marshalls to pay for the costs of reissuing credit and debit cards following a computer system breach by unknown hackers through last year.... But the decision will make it harder for plaintiffs to proceed, since they will now have to pursue claims individually and many may decide it isn't worth the expense, said lawyer Stefan L. Jouret, a litigator at Donovan Hatem LLP in Boston.
Source - Boston Globe
Related - Court Opinion [pdf]
Still following with interest...
http://www.pogowasright.org/article.php?story=20071129180509673
(follow-up) Battle over VA's data breach heads to mediation
Thursday, November 29 2007 @ 06:05 PM EST Contributed by: PrivacyNews News Section: Breaches
Lawyers for people who sued the Veterans Affairs Department over last year's data breach will begin mediation with government attorneys in the weeks ahead and will update the federal judge overseeing the case in early 2008. Earlier this month, U.S. District Judge James Robertson dismissed several aspects of the case but said the handful of plaintiffs sufficiently made the claim that the department failed to safeguard their personal information, as required by the Privacy Act. The action was brought to the U.S. District Court for the District of Columbia as a potential class-action representing each of the estimated 26.5 million veterans whose data could have been jeopardized in the incident. The FBI eventually recovered the stolen equipment and said the files were not accessed.
Source - Government Executive
Funny that a Japanese firm is still using such old technology...
http://www.pogowasright.org/article.php?story=20071129184205260
Dentsu May Have Lost Disks Containing Shareholder Information
Thursday, November 29 2007 @ 06:42 PM EST Contributed by: PrivacyNews News Section: Breaches
Dentsu Inc., Japan's largest advertising agency, said it may have lost three CD-ROMs that contained personal information on about 54,000 shareholders.
The three disks containing data that included shareholders' names and addresses went missing from the Tokyo headquarters, it said in a statement to the Tokyo Stock Exchange yesterday. The disks did not include shareholders' telephone numbers and bank accounts, it said.
Source - Bloomberg
Attacks on infrastructure. (How do we know this guy shouldn't be at Guantanamo?)
http://www.infoworld.com/article/07/11/29/Insider-charged-with-hacking-California-canal-system_1.html?source=rss&url=http://www.infoworld.com/article/07/11/29/Insider-charged-with-hacking-California-canal-system_1.html
Insider charged with hacking California canal system
A former employee hacked the computer system that controls water flow in central California irrigation canals, highlighting security holes in the nation's infrastructure
By Robert McMillan, IDG News Service November 29, 2007
A former employee of a small California canal system has been charged with installing unauthorized software and damaging the computer used to divert water from the Sacramento River.
Why lawyers should have some computer training in addition to that e-discovery training.
http://www.privacydigest.com/2007/11/29/did+fed+lawyer+use+geeks+call+erase+govt+computer+evidence
Did Fed Lawyer Use Geeks-on-Call to Erase Gov't Computer Evidence?
November 29, 2007 - 8:45am — MacRonin
Scott Bloch, head of the Office of Special Counsel who has been under investigation for retaliation against employees and failure to investigate whistleblower cases, is under suspicion for using Geeks-on-Call to erase all the files on his office computer last year as well as laptops belonging to two of his former deputies.
Bloch claims that he had Geeks-on-Call delete all of his computer files and erase his hard drive because his computer had been seized by a virus. But he apparently bypassed his own agency's IT department when he brought in the outside geeks to do the clean-up. And, as the Wall Street Journal reports, the receipt for the work makes no mention of a virus.
Furthermore, the kind of erase Geeks-on-Call conducted on his computer -- a seven-level wipe -- is considered excessive for treating a virus. As the head of Geeks-on-Call's Washington office told the WSJ, "We don't do a seven-level wipe for a virus."
Such thorough wipes are generally conducted on machines when an individual or company is getting ready to sell them. A wipe like this is also effective if someone wants to prevent forensic investigators from recovering data on a machine.
Bloch says that no files related to investigations were affected by the wipe.
(Read Original Article - Via Threat Level.)
What's wrong with this logic? DHS is operating a system for (and apparently under the control of) the Brits. Let's assume they reciprocate.
http://www.pogowasright.org/article.php?story=20071129115815616
Privacy Impact Assessment for the DHS / UKvisas Project
Thursday, November 29 2007 @ 11:58 AM EST Contributed by: PrivacyNews News Section: Fed. Govt.
Recently the United Kingdom (UK) enacted legislation requiring the submission of biometric data by almost all individuals filing applications for UK visas. Officials from the UK and Department of Homeland Security (DHS) have agreed that individuals who are physically located in the United States (US) may provide the requisite biometrics and limited biographical information at U.S. Citizenship and Immigration Services (USCIS) Application Support Centers (ASCs) for forward transfer to the UK in support of the adjudication of applications for visas. USCIS will temporarily retain the submitted biometric and biographical records until the UK provides confirmation that the transfer of data was successful. USCIS will delete the biometric and biographical records immediately after it receives that confirmation.
Report - Privacy Impact Assessment for the DHS / UKvisas Project [pdf] (Nov. 14, 2007)
[From the report:
... Any potential privacy risk associated with the inadvertent disclosure of personally identifiable information is mitigated by the almost instantaneous transfer of the data to the UK utilizing secure encrypted transfer methods, followed by the rapid deletion of the record from USCIS IT systems. [Do they mean: “inadvertent disclosure” must happen quickly? (Say at computer processing speeds?) And therefore there is no need for security like encrypting the data they gather? Bob]
... The role of the ASC is strictly a front-end data gathering agent and will not involve performing any data accuracy checks.
... The fact that the data is not stored [of course it is! Bob] by USCIS should negate the need for any unique safeguards.
... 9.2 Describe how data integrity, privacy, and security were analyzed as part of the decisions made for your system.
The biometrics and biographical information that are being gathered on behalf of the UK are being
stored for an extremely limited period of time in a USCIS system. [In other words, they weren't analyzed? Bob]
9.3 What design choices were made to enhance privacy?
The biometrics and biographical information that are being gathered on behalf of the UK are being
stored for an extremely limited period of time in an USCIS system. [Also not done? Bob]
Related “Hey, if you're not doing anything wrong...”
http://www.pogowasright.org/article.php?story=2007112912012743
Domestic Spying, Inc.
Thursday, November 29 2007 @ 12:01 PM EST Contributed by: PrivacyNews News Section: Surveillance
A new intelligence institution to be inaugurated soon by the Bush administration will allow government spying agencies to conduct broad surveillance and reconnaissance inside the United States for the first time. Under a proposal being reviewed by Congress, a National Applications Office (NAO) will be established to coordinate how the Department of Homeland Security (DHS) and domestic law enforcement and rescue agencies use imagery and communications intelligence picked up by U.S. spy satellites. If the plan goes forward, the NAO will create the legal mechanism for an unprecedented degree of domestic intelligence gathering that would make the U.S. one of the world's most closely monitored nations. Until now, domestic use of electronic intelligence from spy satellites was limited to scientific agencies with no responsibility for national security or law enforcement.
Source - CorpWatch
(Props, Infowarrior.org)
Related “If it was good enough for Big Brother...”
http://www.pogowasright.org/article.php?story=2007113005530642
Movie: LOOK
Friday, November 30 2007 @ 05:53 AM EST Contributed by: PrivacyNews News Section: Surveillance
The Post 9/11 world has forever changed the notion of privacy. There are now approximately 30 million surveillance cameras in the United States generating more than 4 billion hours of footage every week. And the numbers are growing. The average American is now captured over 200 times a day, in department stores, gas stations, changing rooms, even public bathrooms. No one is spared from the relentless, unblinking eye of the cameras that are hidden in every nook and cranny of day-to-day life.
On Dec. 14, a new movie, LOOK, will open in Los Angeles and New York City. It is shot entirely from the perspective of surveillance cameras, and from the trailers, it looks to be a chilling look at the surveillance society we are becoming.
Source - LOOK: Official Movie Website
Related
http://www.pogowasright.org/article.php?story=20071130023553225
Yet more erosion of the Fourth Amendment?
Friday, November 30 2007 @ 02:35 AM EST Contributed by: PrivacyNews News Section: In the Courts
In a 2-1 decision, the 9th Circuit Court of Appeals ruled that collecting DNA evidence from nonviolent drug offenders does not violate their privacy rights.
Judge M. Margaret McKeown wrote for the majority that the law was constitutional:
In sum, we agree in principle with the other circuits that have considered the issue, and hold that in the case before us, requiring Kriesel to comply with the 2004 amendment to the DNA Act is constitutional because the government’s significant interests in identifying supervised releasees, preventing recidivism, and solving past crimes outweigh the diminished privacy interests that may be advanced by a convicted felon currently serving a term of supervised release.
Judge Betty B. Fletcher dissented:
The majority holds, with an air of shrugging inevitability, that without a warrant, without probable cause, indeed without any suspicion whatsoever, the federal government may seize and repeatedly search the DNA of all federal felons on supervised release, regardless of their offense or their likelihood to re-offend. They sanction the inclusion of that DNA in a massive and permanent computer database, the sole purpose of which is to aid generalized criminal investigation. This offends not only the Fourth Amendment but our precedents. I respectfully dissent.
Court Opinion- U.S.A. v Kriesel [pdf]
Related - AP: DNA Samples OK for Nonviolent Felons
Tools & Techniques Network Security
http://hardware.slashdot.org/article.pl?sid=07/11/30/1325228&from=rss
New Way to ID Invisible Intruders on Wireless LANs
Posted by Zonk on Friday November 30, @08:45AM from the you-have-laboured-to-produce-a-biologic dept. Wireless Networking IT Technology
Bergkamp10 writes "Australia's University of Technology in Queensland has created a groundbreaking new system that can detect invisible intruders on wireless LANs. Wireless networks have been almost impossible to thoroughly secure as they possess no clearly defined boundaries, instead they are defined by the quality and strength of the receiving antenna. QUT Information Security Institute researcher Dr Jason Smith has invented a new system to detect eavesdropping on unencrypted networks [That's not how I read it... Bob] or active hijackings of computer sessions when a legitimate user who is logged onto the network leaves the connection. Smith has created a series of monitoring techniques that when used together can detect both attackers and configuration mistakes in network devices."
Husband 101: If you don't like washing dishes, be sure to drop a few the first time the wife asks you to help...
http://techdirt.com/articles/20071128/173150.shtml
Recounting Touch-Screen Elections In Ohio
from the problems-galore dept
Joseph Beck writes "Here in the Cleveland area there are a few election races that must be recounted because the final results were close. The county uses touchscreen machines from Diebold. The machines print a paper ballot that is reviewed by the voter. State law calls for those paper ballots to be used for the recount. The problem is, some of those ballots did not print properly because of paper jams and malfunctions, and are not readable. The Ohio Secretary of State has declared that those votes can be counted by simply reprinting the paper ballot from the memory card. Of course that defeats the purpose of a voter-verified audit trail, but she says it is acceptable. The next day the news came out that the number of unreadable ballots was actually 20% of all ballots. [If my printer failed that often I'd shoot it (and the guy who sold it to me.) Bob] A spokesman for Diebold said "That is a percentage that prompts us to do further investigation." I'm sure they'll get right on it."
Anyone want to take odds on how long it will take before Diebold or another e-voting supporter uses this failure as an example of why they were better off without a voter-verifiable paper trail in the first place? Diebold and others have always used the "well, paper receipts jam" excuse in the past, meaning the companies have little incentive to come up with ways to prevent such paper jams.
Inevitable that someone would take on such a tempting target.
http://techdirt.com/articles/20071130/003324.shtml
Oregon Attorney General Fighting Back Against RIAA Lawsuits
from the messed-with-the-wrong-attorney-general dept
Over the summer, we wrote about a lawsuit someone had filed against the RIAA in Oregon, claiming that the RIAA's investigation tactics were illegal, since the firm it used to sniff out unauthorized users, MediaSentry, was not a licensed investigator in Oregon. This seemed like a relatively weak claim (or at least one focused on the letter of the law more than the spirit). However, it appears that argument has caught the attention of Oregon's Attorney General who already is unhappy with the RIAA. You may recall that earlier this month, the Attorney General stood up to the RIAA after it tried to get the University of Oregon to identify students. It was surprising to see the AG get involved in such an issue, but clearly, he believes the RIAA is going to far. [More likely, he found out how vulnerable they were in his earlier investigation... Bob] The RIAA responded to his filing, opposing the motion, of course. And now the Attorney General has responded, not just about this particular issue, but slamming the RIAA on a number of fronts, [AG check, RIAA makes a “buy the pot” bet, then AG raises “all in” Read 'em and weep RIAA. Bob] suggesting that the RIAA may be in a bit more hot water than it believed. He repeats the argument that the RIAA's investigation techniques are illegal and then goes on to slam the evidence the RIAA has, how it's gathered, how it uses these cases to squeeze money out of unsophisticated people and many other points about these RIAA cases. The response then points out why this is an important matter for the Attorney General to take a stand on and how it would like to get some answers from the RIAA:
"Because Plaintiffs routinely obtain ex parte discovery in their John Doe infringement suits, as they themselves have pointed out, their factual assertions supporting their good cause argument are never challenged by an adverse party and their investigative methods remain free of scrutiny. They often settle their cases quickly before defendants obtain legal representation and begin to conduct discovery.... While the University is not a party to the case, Plaintiffs' subpoena affects the university's rights and obligations. Plaintiffs may be spying on students who use the University's computer system and may be accessing much more than IP addresses. The University seeks the Court's permission to serve the attached interrogatories on Plaintiffs and conduct telephonic depositions of the individuals who investigated the seventeen John Does named in this lawsuit to determine 1) what their investigative practices are and 2) whether they have any additional information with which to identify the John Does."
It looks like the RIAA may have messed with the wrong university in the wrong state.
Keep current
http://www.bespacific.com/mt/archives/016679.html
November 29, 2007
Annual McAfee Virtual Criminology Report
McAfee Virtual Criminology Report - Cybercrime: The Next Wave - The annual McAfee global cyber trends study into organized crime and the Internet in collaboration with leading international security experts, November 2007.
"For this report we consulted with more than a dozen security specialists at top institutions such as NATO, the FBI, SOCA, the Center for Education and Research in Information Assurance and Security (CERIAS), the International Institute for Counter -Terrorism in Israel and the London School of Economics. These experts are also on the front lines in the fi ght against cybercrime every day, and we asked for their insights on the state of this dangerous underworld - as well as their predictions on where it’s going next...the experts agree that cybercrime has evolved significantly in complexity and scope. Espionage. Trojans. Spyware. Denial-of-service attacks. Phishing scams. Botnets. Zero-day exploits. The unfortunate reality is that no one is immune from this malicious industry’s reach — individuals, businesses, even governments. As the world has flattened, we’ve seen a significant amount of emerging threats from increasingly sophisticated groups attacking organizations around the world. And it’s only going to get worse..."
Ditto
http://www.bespacific.com/mt/archives/016683.html
November 29, 2007
Agencies to Issue Proposed Rules and Guidelines that Address Accuracy and Integrity of Consumer Report Information and Rules to Allow Direct Disputes
Press release: "The Federal Trade Commission and the federal financial regulatory agencies (the Agencies) have approved proposed regulations and guidelines to help ensure the accuracy and integrity of information provided to consumer reporting agencies and to allow consumers to directly dispute inaccuracies with financial institutions and other entities that furnish information to consumer reporting agencies. This information is widely used to determine eligibility for credit, employment, insurance, and rental housing. The proposal would implement section 312 of the Fair and Accurate Credit Transactions Act of 2003, which amends the Fair Credit Reporting Act."
Light reading... Scanned as images, not available as text?
http://slashdot.org/article.pl?sid=07/11/29/2048204&from=rss
Carnegie Mellon's Digital Library Exceeds 1.5 Million Books
Journal written by cashman73 (855518) and posted by Zonk on Thursday November 29, @08:30PM from the might-just-be-enough-to-read dept. Education Books The Internet
cashman73 writes "Most Slashdot readers are probably familiar with Google's book scanning project, a collaboration with several major universities to digitize works of literature, art, and science. But Google may have been beat to the punch this time -- about a decade ago, Carnegie Mellon University embarked on a project to scan books into digital format, to be made available online. Today, according to new reports, they now have a collection of 1.5 million books, the equivalent of a typical university library, available online."
Keeping the world safe for democracy!
http://www.gigalaw.com/news/2007/11/anti-spam-software-firm-wins-trademark.html
Anti-Spam Software Firm Wins Trademark Case with Hormel
Spam Arrest LLC, a provider of software and services aimed at stopping e-mail spam, said it won a five-year legal battle against Hormel Foods Corp to keep its trademark. Spam Arrest said a three-judge panel found that Hormel's trademark "does not extend to computer software for filtering spam."
Read the article: Reuters | Posted: 11/29/2007 05:20:00 PM | Permalink
Worth a look?
http://digg.com/motorsport/Gas_price_interactive_map_launches
Gas price interactive map launches
Mapquest launched a new interactive map service today called Mapquest Gas Prices. It feels much more like a fresh website than, say, the government's site designed to do a similar job.
http://www.autobloggreen.com/2007/11/29/new-mapquest-gas-price-interactive-map-launches-also-finds-loca/
I gotta try this! Imagine me on the cover of “National Curmudgeon!”
http://www.killerstartups.com/Web-App-Tools/magmypic--Put-Your-Face-On-The-Cover-Of-A-Magazine/
MagMyPic.com - Put Your Face On The Cover Of A Magazine
You have visited your friend’s MySpace page and have seen photos of them on the cover of People magazine. Don’t be fooled, they are not famous, they are using fun applications to create magazine covers that feature their photo. MagMyPic.com is a site that does just this. You can upload any image you like and turn it into your own custom magazine cover. Choose from a list of different popular magazines such as National Geographic, People, Vogue, Rolling Stone, Sports Illustrated, and more. Creating your custom cover is easy and then you can send it to who ever you want and post it on your social networks and sites. You can take a look at other covers that where made on the site, there is a whole section to browse through. You can also subscribe to any of the magazines whose cover is featured on the site. [Buying the rights, cheap? Good for the magazines! Bob] MagMyPic.com is a great site to have fun at and to pick up a subscription while you are at it.
Illustration of poorly thought out security.
http://www.michaelsalamon.com/?p=20&redirect=1129