Saturday, December 08, 2007

Read the article carefully. My take is that EDS didn't discover the data spill. And it took them a month to determine who was impacted. (Interesting that the Air Force is reporting this.)

http://www.pogowasright.org/article.php?story=20071207171706185

Tricare data breach affects 4,700 families

Friday, December 07 2007 @ 05:17 PM EST Contributed by: PrivacyNews News Section: Breaches

Letters are in the mail to about 4,700 households who submitted claims through the Tricare Europe office since 2004 about a data breach involving their personal information — a month after the breach was reported.

Most of those affected have since moved from Europe.

Electronic Data Systems notified Tricare on Nov. 7 that they had not properly secured a part of the system it maintains for Tricare, and “certain external entities” had been allowed access to a file with personal information.

That file contained full or partial Social Security numbers. For one or more members of each household, it included their name, date of birth, and a medical diagnosis code associated with a health benefits claim submitted to Tricare Management Activity.

Source - AirForceTimes



TJX strikes back! “We had poor security only in theory. In practice, we were a good as most retailers.)

http://www.boston.com/business/globe/articles/2007/12/07/tjx_subpoenas_documents_from_mastercard_on_breach/

TJX subpoenas documents from MasterCard on breach

December 7, 2007

TJX Cos. has subpoenaed security details from MasterCard Inc., court filings showed, as the Framingham retailer argued it hasn't been able to get sufficient information from the payment card network. The parent company of TJ Maxx and Marshalls faces claims in federal district court in Boston from banks that say its security was lax before a data breach through 2006 that compromised as many as 100 million account numbers. TJX has argued that the payment system as a whole faced security issues and struck a deal with Visa Inc. last week in which both sides vowed more cooperation. In its filings yesterday, TJX said MasterCard "is a central figure in this case" whose knowledge and conduct related to TJX's defenses. (Ross Kerber)



What would be the equivalent in the brick and mortar world? Your private security guards suddenly lock the doors and won't allow customers into the store?

http://www.pcmag.com/article2/0,2704,2229576,00.asp?kc=PCMS102049TX1K0100488

Symantec Screwup Is 'Worse Than Any Virus'

12.06.07 by Chloe Albanesius

A routine update from Symantec Security Response wreaked havoc on a California company's clientele this week when it inadvertently tagged a program produced by Solid Oak Software as a virus and cut off the Internet access of Solid Oak customers.

Symantec on Monday released a virus definition update that incorrectly identified Solid Oak's CyberSitter filtering program as a virus. Depending on the version of Symantec's Norton Antivirus product that Solid Oak customers were running, CyberSitter files were either deleted or banned from use by Norton, according to Solid Oak.

Customers, which include schools, libraries and personal accounts, were not provided with a recovery mechanism and subsequently lost Internet access. Solid Oak did not have an exact number of those affected, but it likely numbers in the tens of thousands, according to a spokeswoman.

Customers have had to re-install entire operating systems and software, she said. [Expensive! Bob]

Symantec contacted Solid Oak on Wednesday and "under pressure from Solid Oak," set up a technical support number for customers to call, Solid Oak said.

That number, however, is no longer in service. When PC Magazine called it on Thursday evening, it directed callers to the Norton customer service Web site, which provides standard fixes to common problems but does not address the problem facing Solid Oak customers.

This is the third time in less than a year that Symantec's Norton products have caused severe damage to computers running CYBERsitter software offerings, said Brian Milburn, president of Solid Oak Software, in a statement. "In my opinion, Norton products are worse than any virus I can think of," he said.

"We have thousands of users with no Internet access and all Symantec has done is to provide our mutual customers with a non-functioning support number that tell them to use on-line support," Milburn added. "The problem is even worse because the holiday season. Users are trying to order gifts on-line and they can't."

A Symantec spokeswoman said the company was "researching" the problem.

The situation is "embarrassing" for Solid Oak, Solid Oak's spokeswoman said. The company has been forced to pass along to customers instructions from Symantec, but nothing is working, she said. "People are upset," she said.

Solid Oak received an e-mail from Kevin Haley, Symantec's director of product management for Security Response, at 11 a.m. PST but no further instructions have been relayed, according to Solid Oak.



“...anything you say may be used against you in court.”

http://www.eweek.com/article2/0,1759,2229936,00.asp?kc=EWRSS03119TX1K0000594

Play It Isn't So

December 7, 2007 By Roy Mark

NOTE TO NYPD: Many MP3 players now have digital recording ability. While that might be old news to most, apparently N.Y. police Detective Christopher Perino didn't get the memo. It may cost Perino his badge and 84 years in prison.

Perino, 42 and a 19-year New York Police Department veteran, was indicted Dec. 6 by a Bronx grand jury for allegedly lying while under oath at the trial of a Bronx man charged with attempted murder. At the April trial, Perino repeatedly insisted he did not try to pressure the prime suspect into signing a confession.

Perino also testified he did not try to dissuade the suspect from talking with an attorney nor did he try to convince the suspect he didn't need an attorney.

Unfortunately for Perino, the suspect recorded the interview with Perino on a new MP3 player he had received for Christmas. The 75-minute MP3 interview refuted all Perino's claims. Perino was indicted for perjury.

The trial centered on a Dec. 25, 2005, shooting. Six days later, Perino conducted an interview with the prime suspect, Erik Crespo, then 17. Crespo hit the record button on the MP3 player in his pocket. After the interview, Crespo was detained but allowed to turn over his personal possessions—including the MP3 player—to his mother. [That procedure will be revised... Bob]


The cop (above) should have seen this cartoon. Might show up in a bunch of Privacy PowerPoints

http://www.pogowasright.org/article.php?story=20071207182020196

A Surveillance Society Works Both Ways (comic)

Friday, December 07 2007 @ 06:20 PM EST Contributed by: PrivacyNews News Section: Surveillance

Source - NewsTarget.com



...and the flip side. (and others)

http://www.pogowasright.org/article.php?story=20071207184300286

Taking computer in for installing new DVD drive waives expectation of privacy

Friday, December 07 2007 @ 06:43 PM EST Contributed by: PrivacyNews News Section: In the Courts

Trial court erred in finding that defendant did not waive his expectation of privacy in the child porn on the video files on his computer when he took it to Circuit City for installation of a new DVD drive. Commonwealth v. Sodomsky, 2007 PA Super 369, 2007 Pa. Super. LEXIS 4113 (December 5, 2007).

Source - FourthAmendment.com (blog)



Legal arguments are reducing to: “We don't need no stinking warrants!”

http://msn-cnet.com.com/Police-Blotter:-Verizon-forced-to-turn-over-text-messages/2100-1030_3-6221503.html?part=msn-cnet&subj=ns_2510&tag=mymsn

Police Blotter: Verizon forced to turn over text messages

By Declan McCullagh Story last modified Wed Dec 05 10:12:46 PST 2007

What: U.S. Department of Justice seeks archived SMS text messages from Verizon Wireless without obtaining a warrant first.

When: District judge rules on October 30; magistrate judge completes review of archived text messages on Friday.

Outcome: Prosecutors receive the complete contents of defendant's text messages.

What happened, according to court documents:

It may not be that well known outside of police and telecommunications circles, but odds are excellent that your mobile phone provider saves copies of your SMS text messages. In a case that Police Blotter wrote about last year, federal police obtained logs of archived text messages from two unnamed wireless providers.

In addition, a judge in the Kobe Bryant sex case ordered the phone provider to turn over archived messages. Text messages were also part of the trial involving the attempted murder of rapper 50 Cent.

(By the way, here is one way to send almost-anonymous text messages.)

The most recent case dealing with SMS text messages does not involve a celebrity, though. It involves Susan Jackson, who pleaded guilty to wire fraud involving unauthorized transfers from her employer's bank account to her own NASA Federal Credit Union account.

To buttress her request for a minimum sentence, Jackson submitted letters that she said were from friends, employers, and relatives, but the U.S. Secret Service asserts the documents were altered or doctored. If that is true, it could amount to an additional charge of obstruction of justice.

One person allegedly said that Jackson urged him, "using text messaging and e-mail," to go along with the alterations.

The U.S. Department of Justice asked for a subpoena ordering Verizon Wireless to turn over the contents of text messages for phone number (301) 325-XXXX. The request was made under 18 USC 2703(b)(1)(b)(i) and (ii), which do not require probable cause and a search warrant. Instead, all prosecutors must do is claim--and this is much easier--that the records are "relevant and material" to an investigation. (The Justice Department says this is fine because the text messages were "opened communications," meaning that they were already read by the recipient and should therefore be easier to obtain.)

Jackson's lawyer opposed the request, saying that a proper search warrant was required. On October 30, U.S. District Judge Richard Roberts sided with the prosecution and said that only a subpoena was needed.

Verizon complied. It turned over three sets of documents: information about the account holder linked to that phone number, a list of the complete contents of the text messages sent or received by cellular telephone number (301) 325-XXXX between June 6 and October 31, 2007, and a log of whom Jackson sent messages to from her Verizon e-mail address. Note that Verizon did not keep copies of the actual contents of her e-mail messages.

Because Jackson alleged that the text messages might involve sensitive attorney-client communications, the court appointed a magistrate judge to review them. Magistrate Judge Alan Kay concluded that the text messages did not involve attorney-client privilege and recommended they be turned over to prosecutors "in their entirety."

Excerpts from Justice Department's brief:

Unfortunately, the defendant's Internet services provider, Verizon Internet Services, Inc., has advised the government that it does not store the content of its subscribers' e-mail communications...

It does maintain, however, a "transactional log" for its accounts, including the defendant's account... Since the information will not contain the content of any communications, it is not believed that the defendant has any basis to contest production.



Isn't this the business model I suggested?

http://www.killerstartups.com/Video-Music-Photo/AudioSocketMusiccom---Get-Your-Indie-Music-Licensed/

AudioSocketMusic.com - Get Your Indie Music Licensed

AudioSocket wants to license your music. The terms are pretty favorable for the artist. They keep 100% of the music rights, 60% of the licensing fee, 100% of the royalty payments, and they’ll get both the attention and treatment they deserve. AudioSocket is a small, boutique-style agency which means they do the works hands on. Each artist is hand selected which means only the best from around the world are selected.

http://www.audiosocketmusic.com/

Friday, December 07, 2007

This was a “phishing attack” and about 1% of the employees fell for it. Actually pretty good odds. Still leaves a lot of questions about security. Apparently no encryption. Apparently the logs can't tell them what files were accessed.

http://www.pogowasright.org/article.php?story=20071206202409568

Oak Ridge National Lab reports 'sophisticated' cyber attack netted personal data on visitors

Thursday, December 06 2007 @ 08:24 PM EST Contributed by: PrivacyNews News Section: Breaches

The Oak Ridge National Laboratory revealed on Thursday that a "sophisticated cyber attack" over the last few weeks may have allowed personal information about thousands of lab visitors to be stolen.

The assault appeared "to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country," lab director Thom Mason said in a memo to the 4,200 employees at the Department of Energy facility.

Oak Ridge officials would not identify the other institutions affected by the breach. But they said hackers may have infiltrated a database of names, Social Security numbers and birth dates of every lab visitor between 1990 and 2004.

Source - International Herald Tribune



Another case of the stupids? Another Monty Python skit? “We thunk it through, and this was the smartest plan what we could come up with.”

http://www.pogowasright.org/article.php?story=20071206210727218

Fasthosts flamed over hack response

Thursday, December 06 2007 @ 09:07 PM EST Contributed by: PrivacyNews News Section: Breaches

One of Britain’s largest web hosting companies is fending off a customer backlash over how it responded to its central database being hacked by criminals.

After it detected a breach to its network, which stores customers’ names, addresses, bank details and plain-text passwords, Fasthosts requested all passwords to be reset.

When customers failed to comply with this “precautionary measure,” the firm went ahead and reset all unchanged FTP and Control Panel passwords automatically.

Internet forums show this has angered customers, while some reports claim it wasn’t only the unchanged passwords that the company updated without notification.

But because of the security breach, Fasthosts couldn’t e-mail the new passwords for fear of them being compromised again, so it resorted to sending them in the post. Some affected customers are still waiting for their new details to be delivered.

Source - Contractor UK



“They only had the documents for a month, so we can assume they didn't have access to a xerox or simply can't read...”

http://www.pogowasright.org/article.php?story=20071206210231842

CO: Police catch thieves who stole car with state documents inside

Thursday, December 06 2007 @ 09:02 PM EST Contributed by: PrivacyNews News Section: Breaches

Police have arrested four alleged car thieves who stole a car with documents inside listing people's names, Social Security numbers and birth dates.

On the morning of November 30, Lone Tree Police say a Saturn sedan was stolen from a shopping center in Lone Tree.

Inside the car were documents related to the Colorado Department of Regulators Office, specifically related to the Board of Dental Examiners, according to police. The paper documents had doctor/patient information, including Social Security numbers and birth dates for about 200 people.

The Department of Dental Registration is currently alerting the people that their personal information may have been compromised.

Source - 9News.com



Rules to live by...

http://www.pogowasright.org/article.php?story=2007120620280610

Mind the GAPP: Accountants bring GAAP-like principles to the privacy sphere

Thursday, December 06 2007 @ 08:28 PM EST Contributed by: PrivacyNews News Section: Other Privacy News

If you haven't heard of the Generally Accepted Privacy Principles (GAPP), take stock: They're likely to become the most important new source of requirements for your IT projects since Y2k and Sarbanes-Oxley. Why is this? The accounting industry has closed ranks around the idea that the GAPP is the best international framework for assessing the privacy health of an organization. So when it comes to IT projects, any system or related business process touching personal data will have new rules to play by.

What is the GAPP? I have to agree with the auditors on this one. It's the best attempt so far to address the main point of pain for global chief privacy officers: the growing complexity of privacy regulations around the world.>

Source - Computerworld



Too cute?

http://www.killerstartups.com/Web-App-Tools/3d-packcom---Make-3D-Boxes-Out-of-Your-Favorite-Images/

3d-pack.com - Make 3D Boxes Out of Your Favorite Images

The site lets you create a 3d box from your favorite images. All you’ve got to do to get your nifty, free box is upload an image, any image, for the cover and sides of your box, and voila, you’ve got a cool image in 3d box form. It couldn’t get any simpler. Check out the gallery for ideas, then get your own box for free.

http://3d-pack.com/



“Hey, we see you are a Liberal Arts major! Want a job after graduation?”

http://consumerist.com/consumer/badvertising/mcdonalds-advertises-on-elementary-school-report-cards-330870.php

McDonald's Advertises On Elementary School Report Cards

Health advocates are setting their outrage phasers on kill over a McDonald's ad appearing on the report cards of Seminole County, Florida elementary schools. The ad promises free Happy Meals to kids with good grades, despite promises by McDonald's that they would " ban advertising to children under 12 or limit them to food and snacks that meet certain nutritional guidelines."

Thursday, December 06, 2007

Should be among the last people to have a data spill. What were they thinking?

http://www.pogowasright.org/article.php?story=20071205224157898

Forrester Loses Laptop Containing Personnel Data

Wednesday, December 05 2007 @ 10:41 PM EST Contributed by: PrivacyNews News Section: Breaches

Thieves stole a laptop from the home of a Forrester Research employee during the week of Nov. 26, potentially exposing the names, addresses and Social Security numbers of an undisclosed number of current and former employees and directors, the company said in a letter mailed to those affected on Dec. 3.

Source - eWeek

[From the article:

... Forrester "Chief People Officer" Elizabeth Lemons said in the letter that the hard drive is password-protected but made no mention of encryption.

... the office of Forrester's "chief people officer" apparently had not informed the firm's media staff of the incident before sending out the letter.

... As such, the media relations staff was not prepared with an incidence response plan.



“ because we need a social security number to determine blood type.”

http://www.pogowasright.org/article.php?story=2007120522440441

Stolen Laptop Had 268,000 Social Security Numbers

Wednesday, December 05 2007 @ 10:44 PM EST Contributed by: PrivacyNews News Section: Breaches

A Twin Cities blood bank says a laptop computer with 268,000 names and Social Security numbers has been stolen.

Memorial Blood Centers said Wednesday it has begun notifying blood donors of the theft, but they should monitor their financial accounts as a precaution. The laptop computer was taken on Nov. 28 in downtown Minneapolis during preparations for a blood drive.

Source - WCCO

[From the article:

... Spokeswoman Laura Kaplan said they need the Social Security numbers to verify that donors are eligible to give blood.



Just in case you missed this little tidbit from the land of 1984.

http://www.pogowasright.org/article.php?story=20071205232553538

UK: Lost data discs 'endanger protected witnesses'

Wednesday, December 05 2007 @ 11:25 PM EST Contributed by: PrivacyNews News Section: Breaches

Hundreds of people in police witness protection programmes have been put at risk by the loss of millions of child benefit records, The Daily Telegraph can reveal.

The missing data discs are understood to contain both the real names and the new identities of up to 350 people who have had their identities changed after giving evidence against major criminals.

Source - Telegraph.co.uk

(Props, Fergie's Tech Blog)



Minimum standard? Do this... (see next article)

http://www.bespacific.com/mt/archives/016729.html

December 05, 2007

FTC Offers Tutorial for Businesses on Protecting Personal Information

"Protecting the personal information of customers, clients, and employees is good business. The Federal Trade Commission has a new online tutorial to alert businesses and other organizations to practical and low- or no-cost ways to keep data secure. The tutorial, “Protecting Personal Information: A Guide for Business,” at www.ftc.gov/infosecurity, takes a plain-language, interactive approach to the security of sensitive information. Although the specifics depend on the type of company and the kind of information it keeps, the basic principles are the same: any business or office that keeps personal information needs to take stock, scale down, lock it, pitch it, and plan ahead. The tutorial explains each of these principles, and includes checklists of steps to take to improve data security."


...or else?

http://www.bespacific.com/mt/archives/016737.html

December 05, 2007

CRS Report - Botnets, Cybercrime, and Cyberterrorism

Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Updated November 15, 2007. "Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security... This report discusses options now open to nation states, extremists, or terrorist groups for obtaining malicious technical services from cybercriminals to meet political or military objectives, and describes the possible effects of a coordinated cyberattack against the U.S. critical infrastructure."



Perhaps we need one for politicians?

http://www.nbc24.com/News/news_story.aspx?id=73000

Device that warns against nearby sex offenders

Posted: Wednesday, December 05, 2007 at 4:00 p.m.

... Offendar LLC of Chagrin Falls showed the device, about the size of a key fob, that vibrates when picking up a signal from a parolee's monitoring bracelet. The device has a range of about 50 yards, and would also alert the parolee to stay out of range and avoid tripping the alarm.



Convergence... Should work fine until the TSA decides that cellphones could detonate bombs and starts arresting people for pointing them at security personnel...

http://www.usatoday.com/tech/products/gear/2007-12-04-electronic-boarding-pass_N.htm

Cellphone could be boarding pass, too

By Barbara De Lollis, USA TODAY Updated 23h 57m ago

... Instead of a paper pass, Continental Airlines (CAL) and the Transportation Security Administration will let passengers show a code the airline has sent to their cellphone or PDA.



Some useful stuff!

http://digg.com/software/Top_10_Free_Windows_File_Wranglers_2

Top 10 Free Windows File Wranglers

lifehacker.com — You spend a whole lot of time each day moving, copying, trashing, browsing and otherwise fiddling with all the files stored on your PC, and you should have the most efficient power tools to get those jobs done.

http://lifehacker.com/software/lifehacker-top-10/top-10-free-windows-file-wranglers-330037.php



A dalliance for my Small Business Management class? I've gotta play with this one!

http://www.killerstartups.com/Web20/ThirtyDayChallengecom---Start-Your-Own-Online-Business/

ThirtyDayChallenge.com - Start Your Own Online Business

The Thirty Day Challenge is a site that helps beginners break into the online business world. The challenge is to start your own online business without spending any money and to earn at least $10 in a month. The friendly fellows at The Thirty Day Challenge will provide users with the necessary information and tools to create a successful online business.

... The Thirty Day Challenge will also provide you with modern software that will help you create the ultimate site. The Thirty Day Challenge starts on the first of every month so challenge yourself and you can possibly create a successful online business.



Be prepared!

http://www.allowe.com/Humor/book/When%20Insults%20Had%20Class.htm

When Insults Had Class

Wednesday, December 05, 2007

Is this another indication that companies are actually starting to look at the security of their applications?

http://www.pogowasright.org/article.php?story=20071204084716846

Security Lapse Affects Thousands Of Electric Customers

Tuesday, December 04 2007 @ 08:47 AM EST Contributed by: PrivacyNews News Section: Breaches

The private information of thousands of Indianapolis Power and Light customers was inadvertently posted online for up to four years, [...and nobody noticed? Bob] officials said Monday.

The information affects 3,000 residential IPL customers from 2003 until November 2007.

IPL said the data included names, addresses and Social Security numbers that somehow ended up on an accessible server on the Internet.

Source - The Indy Channel



Another retailer who keeps old records online...

http://www.pogowasright.org/article.php?story=20071204194103598

KimsCrafts website security breach exposes customers' credit card numbers

Tuesday, December 04 2007 @ 07:41 PM EST Contributed by: PrivacyNews News Section: Breaches

eMotive, Inc., d/b/a KimsCrafts, has notified the New Hampshire H DOJ that a website security breach affecting its e-commerce site allowed access to customers' names, addresses and credit card numbers during the period of August 13 to October 1, 2007. The breach affected all customers who placed orders after June 25, 2001. KimsCrafts indicated that it was notifying 4,500 customers of the breach.

Source - Notification letter to NH DOJ [pdf]



Laptops are designed to be portable. It takes real skill to misplace a desktop...

http://www.pogowasright.org/article.php?story=20071204193458908

Oracle "misplaces" desktop with employee information

Tuesday, December 04 2007 @ 07:34 PM EST Contributed by: PrivacyNews News Section: Breaches

Oracle Corporation reported that a desktop computer containing personal information on employees and contractors of Lodestar was "misplaced" during a move. Lodestar had been recently acquired by Oracle.

The personal information included one or more of the following types of information on the employees and contractors: name, home or business address, Social Security number, and other earnings or expense information.

Those affected were notified by letter and offered free credit monitoring services.

Source - Notification letter to NH DOJ [pdf]



Is this an example of a self-regulating industry?

http://www.pogowasright.org/article.php?story=20071204084844656

TJX’s Settlement with Visa Casts Light on Murky World of PCI Penalties

Tuesday, December 04 2007 @ 08:48 AM EST Contributed by: PrivacyNews News Section: Businesses & Privacy

The settlement The TJX Cos. and Visa Inc. announced Friday not only shows the retailer is well on its way to disposing of the myriad problems arising out the intrusion into its computer system that potentially compromised nearly 100 million credit and debit cards, but it also gives a rare glimpse into the secretive realm of penalties networks use to enforce rules for protecting cardholder data.

Source - Digital Transactions



New technology requires new law?

http://volokh.com/posts/1196148513.shtml

Fourth Amendment Protection in Text Pager Messages:

[Orin Kerr, November 30, 2007 at 6:45pm] Trackbacks

The Ninth Circuit recently held oral argument in a fascinating case on how the Fourth Amendment protects messages sent and received via pagers. The name of the case is United States v. McCreary, and I have posted the brief for the defense here and the brief for the United States here. You can listen to the audio of the oral argument from mid-October before Judges Hug, W. Fletcher, and Clifton from this link. This potentially is a very important case, so I thought I would blog some relatively detailed thoughts about it. Given the usual pace of such things, the opinion probably will be published in a month or two.

... The legal question in United States v. McCreary is whether the government violated McCreary's Fourth Amendment rights by obtaining the text of the pager messages using a subpoena instead of a search warrant.



Because he thinks...

http://it.slashdot.org/article.pl?sid=07/12/04/2128256&from=rss

Freakonomics Q&A With Bruce Schneier

Posted by kdawson on Tuesday December 04, @05:10PM from the thinking-like-an-economist dept. Security

Samrobb writes "In grand Slashdot tradition, the Freakonomics blog solicited reader questions for a Q&A session with Bruce Schneier. The blog host writes that Mr. Schneier's answers '...are extraordinarily interesting, providing mandatory reading for anyone who uses a computer. He also plainly thinks like an economist: search below for "crime pays" to see his sober assessment of why it's better to earn a living as a security expert than as a computer criminal.'"

The interview covers pretty much the whole range of issues Schneier has written about, and he provides links to more detailed writings on many of the questions.



Everything you ever wanted to know about Spam, Spam, Spam Spam...

http://www.technewsworld.com/rsstory/60587.html

The Evolution of Spam, Part 3: Now Taking Control of Your PC

By Andrew K. Burger E-Commerce Times Part of the ECT News Network 12/04/07 4:00 AM PT

"People have to stop buying from spam. I have to wonder if there are really people, even one in 10 million, who are so stupid that they think it is a good idea to buy Viagra from an e-mail titled 'Fires in California kill a second person.' It would seem so," said Randy Abrams, director of technical education at ESET.



A backoffice tool

http://www.wral.com/business/blogpost/2126165/

Web Tool Quickly Shows You Shipping Prices

Posted: Today at 2:37 a.m.

Yow, if you have to mail anything this holiday season I've found you a great Web site. It takes your to and from destination zip codes and gives you a table of shipping prices across several different carriers. It's called ShipGooder and it's available at http://shipgooder.com/.



Reeeaaalll simple explanation...

http://www.managednetworks.co.uk/how-the-internet-works.html

How the Internet works (explained with tennis balls)



I haven't pointed to one of these recently...

http://lifehacker.com/software/feature/how-to-track-down-anyone-online-329033.php

How to Track Down Anyone Online

Tuesday, December 04, 2007

Isn't this a clear failure of management? Is no one checking?

http://www.pogowasright.org/article.php?story=20071203165715290

Ortho-Clinical Diagnostics employee info exposed

Monday, December 03 2007 @ 04:57 PM EST Contributed by: PrivacyNews News Section: Breaches

Almost 4,300 Ortho-Clinical Diagnostics, Inc. employees had their personal information exposed to employees with access to the company network after the security settings on a file that was supposed to restrict access to Human Resources Dept. personnel was inadvertently removed. The file was exposed for approximately six months. [Six months and no one noticed? Bob] The personal information on employees dating back to 2002 may have included home address and telephone number, pre-employment screening information, compensation and other employment data, and social security number.

Ortho-Clinical Diagnostics, Inc. is a subdivision of Johnson & Johnson, and the file was available to any authorized user of the Johnson & Johnson (North America).

OCD arranged for free credit monitoring services for those affected.

Source - Notification letter to NH DOJ [pdf]



Because...

http://www.pogowasright.org/article.php?story=20071203080837119

Data “Dysprotection:” breaches reported last week

Monday, December 03 2007 @ 08:08 AM EST Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent



Another perspective?

http://www.pogowasright.org/article.php?story=20071203151225391

The Information Security Forum Releases Report on Dangers of Information Leakage

Monday, December 03 2007 @ 03:12 PM EST Contributed by: PrivacyNews News Section: Breaches

The Information Security Forum (ISF) today released a report on the dangers associated with information leakage. The report provides guidelines on how to identify, address and avoid such security breaches. To access the full report, visit https://www.securityforum.org/html/view_pub01.asp. This and other security issues will be discussed at the ISF 18th Annual World Congress, taking place December 9 – 11, 2007, in Cape Town, South Africa.

Source - WebWire



The defenders of copyright strike again?

http://yro.slashdot.org/article.pl?sid=07/12/04/015229&from=rss

MPAA Forced To Take Down University Toolkit

Posted by kdawson on Monday December 03, @09:05PM from the sauce-for-the-goose dept. GNU is Not Unix

bobbocanfly writes "Ubuntu developer Matthew Garrett has succeeded in getting the MPAA to remove their 'University Toolkit' after claims it violated the GNU GPL. After several unsuccessful attempts to contact the MPAA directly, Garrett eventually emailed the group's ISP and the violating software was taken down."


“There are lies, damn lies, and ISP advertising...”

http://techdirt.com/articles/20071203/030737.shtml

Traffic Shaping In The UK: Who's Honest And Who's Not...

from the sound-familiar? dept

While we've mostly been focused on the debates over traffic shaping and false advertising in the US with the likes of Comcast and Verizon in the US, there's an interesting parallel over in the UK. Just like Verizon, it appears that Virgin Media's broadband offering is advertised as unlimited, even as the reality suggests quite differently. It's "unlimited within a fair-usage limit." That sounds like "limited" to me. In fact, the article notes, a Virgin Media user paying for unlimited service could find his bandwidth suddenly capped after just 20 minutes of straight downloading. That seems like quite a limit.

Much more interesting, however, is the story of Plusnet, an ISP that was recently bought by BT. It does traffic shaping, but unlike just about every other ISP, is incredibly honest and upfront about what it's doing. This is exactly what many people have been telling Comcast it should do. There are supporters of Comcast's efforts who insist that if Comcast did such a crazy thing as to actually tell its customers what it's doing, it would ruin the whole plan. However, the details from Plusnet show that's not the case at all. Plusnet makes it very clear what it's doing, explains to users what to expect, and even helps them understand when it makes more sense to use high bandwidth applications. According to the few supporters of Comcast out there, this would never work -- and yet, it clearly does work for Plusnet. Not only that, the article notes that Plusnet's customer satisfaction rating has been growing steadily. So, once again, we'll ask what could possibly be wrong with Comcast telling the truth about the fact that it's using traffic shaping to prevent certain actions?



Tipping points are worth considering... If they are real.

http://yro.slashdot.org/article.pl?sid=07/12/03/235241&from=rss

MP3 Format Still Gathering Momentum

Posted by kdawson on Monday December 03, @07:40PM from the thrashing-of-expiring-dinosaurs dept.

PoliTech sends us over to Billboard.com for a detailed article about the coming tipping point in the music business in favor of MP3. The two biggest drivers pushing Warner and Sony BMG toward MP3 are an upcoming massive Amazon-Pepsi download giveaway and a positive move by the usually maligned Wal-Mart (according to sources): "...Wal-Mart [alerted] Warner Music Group and Sony BMG that it will pull their music files in the Windows Media Audio format from walmart.com some time between mid-December and mid-January, if the labels haven't yet provided the music in MP3 format."



“Und next, ve vill require RFID chips!” No doubt it greatly improved the educational experience...

http://www.pogowasright.org/article.php?story=20071204055357589

N.J. college makes GPS mobiles mandatory

Tuesday, December 04 2007 @ 05:53 AM EST Contributed by: PrivacyNews News Section: Minors & Students

Montclair State University is one of the first schools in the U.S. to use GPS tracking devices, which along with other security technology are increasingly being adopted on campuses in the wake of the Virginia Tech massacre last spring.

.... Two years ago, well before Virginia Tech, Montclair State made the cellphones mandatory for all first-year students living in dorms at the largely commuter school in suburban New York City. Now, all new full-time undergraduates — whether they live on campus or off — are required to buy them. About 6,000 students have them now

Source - AP via USA Today



For your Security Manager...

http://it.slashdot.org/article.pl?sid=07/12/04/044215&from=rss

Wireless Keyboard "Encryption" Cracked

Posted by kdawson on Tuesday December 04, @05:47AM from the hardly-needs-a-brute dept. Security Input Devices Wireless Networking

squidinkcalligraphy writes "While everyone is going on about wireless network security, it seems few have considered that increasingly common wireless keyboards can be vulnerable to eavesdropping. Particularly when the encryption is pitifully weak. All that's needed is a simple radio receiver, sound card, and a brute-force attack on the 8-bit encryption used. Passwords galore! Bluetooth, it seems, is safe for the moment."



Something useful for everyone...

http://www.bespacific.com/mt/archives/016710.html

December 03, 2007

New on LLRX.com for November 2007



Fortunately, I have several in my advanced math class...

http://science.slashdot.org/article.pl?sid=07/12/03/1646246&from=rss

Chimps Outscore College Students on Memory Test

Journal written by arbitraryaardvark (845916) and posted by ScuttleMonkey on Monday December 03, @01:11PM

from the well-when-the-rewards-are-bananas dept.

AP's Malcolm Ritter reports that young chimpanzees were better at remembering a series of numbers flashed on a screen, than the Japanese college students used as a control group. Scientists plan to repeat the experiment using 5th graders against the great apes.

Monday, December 03, 2007

Always good for a laugh...

http://www.pogowasright.org/article.php?story=20071202171108825

Websites sell secret bank data and PINs

Sunday, December 02 2007 @ 05:11 PM EST Contributed by: PrivacyNews News Section: Breaches

Security breaches that are allowing the financial details of tens of thousands of Britons to be sold on the internet are to be investigated by the country’s information watchdog.

Without paying a single penny, The Times downloaded banking information belonging to 32 people, including a High Court deputy judge and a managing director. The private account numbers, PINs and security codes were offered as tasters by illegal hacking sites in the hope that purchases would follow.

... The Times found:

More than 100 websites trafficking British bank details

A fraudster offering to sell 30,000 British credit card numbers for less than £1 each

A British “e-passport” for sale, although the Government insists that they are unhackable.

Source - TimesOnline



...because Osama might be using IRC?

http://yro.slashdot.org/article.pl?sid=07/12/02/1515247&from=rss

Questionable Data Mining Concerns IRC Community

Posted by CmdrTaco on Sunday December 02, @12:30PM from the that-eliza-can't-keep-her-mouth-shut dept. Privacy

jessekeys writes "Two days ago an article on TechCrunch about IRSeeK revealed to the community that a service logs conversations of public IRC channels and put them into a public searchable database. What is especially shocking for the community is that the logging bots are very hard to identify. They have human-like nicks, connect via anonymous Tor nodes and authenticate as mIRC clients. IRSeeK never asked for permission and violates the privacy terms of networks and users. A lot of chatters were deeply disturbed finding themselves on the search engine in logs which could date back to 2005. As a result, Freenode, the largest FOSS IRC network in existence, immediately banned all tor connections while the community gathered and set up a public wiki page to share knowledge and news about IRSeeK. The demands are clear: remove all existing logs and stop covert operations in our channels and networks. Right now, the IRSeeK search is unavailable as there are talks talking place with Freenode Staff."



e-Discovery Not sure I'd trust this... Assumes complete knowledge of data to be discovered...

http://www.infoworld.com/article/07/12/03/autonomylegal_1.html?source=rss&url=http://www.infoworld.com/article/07/12/03/autonomylegal_1.html

Autonomy to offer first remote legal hold application

Desktop Legal Hold finds documents relevant to a litigation whether or not they have been deleted

By Ephraim Schwartz December 03, 2007

On Monday, December 3, the first anniversary of changes to the Federal Rules for Civil Procedure (FRCP), Autonomy, an archiving and e-discovery company, announced Desktop Legal Hold, calling it an industry first.

The compliance and e-discovery application remotely enforces legal holds on documents stored on local, desktop, or laptop hard drives.

... Of the 105 cases heard this year that addressed e-discovery issues, in 24 percent of those cases, there was a sanction for some sort of bad act of document or data destruction, otherwise known as spoliation, according Kroll Ontrack, a computer forensics services company.

... The Autonomy software adds a small piece of code to a desktop or laptop that is administered from a central console. When a notification is sent to employees requesting a legal hold, the program searches laptops and desktops for all keyword and relevant concepts and words, and when it finds relevant data, it locks down the file in place. As soon as the user connects back to the network, the relevant data is uploaded.

Even if personal emails are deleted by the user, the program searches all empty spaces on a hard disk.



How to keep a child occupied for hours...

http://mysite.verizon.net/vze201j5/countdown.htm

Sunday, December 02, 2007

Perhaps they could ask an identity thief?

http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=499136&in_page_id=1770

Virgin Media faces £400million fine over customer database error which could have "fatal consequences"

Last updated at 23:46pm on 1st December 2007

Virgin Media could be hit with a £400million fine after failing to provide accurate details of 1.5million of its customers' addresses for the emergency services.

The firm, Britain's second biggest phone company, was in urgent talks with industry watchdog Ofcom last week to explain why its customers were missed off or inaccurately listed on the database, which is used by police, fire and ambulance services responding to 999 calls.

If Ofcom begins a full investigation, it could impose a fine up to £400million – ten per cent of the firm's £4billion annual turnover.



Start using the technology now, worry about all that other stuff later? (Isn't DHS paying for all these cameras as part of their search for Osama?)

http://www.pogowasright.org/article.php?story=20071202073101642

California Government Surveillance Cameras Thrive Without Safeguards

Sunday, December 02 2007 @ 07:31 AM EST Contributed by: PrivacyNews News Section: Surveillance

California cities are moving quickly to install video surveillance cameras on public streets and plazas without regulations, with little or no public debate, and without an evaluation of their effectiveness, according to an ACLU report released earlier this year.

A public records survey done by the ACLU disclosed that, even though 37 cities have some type of video surveillance program and 10 are considering expansive programs, none has conducted a comprehensive evaluation of the cameras’ effectiveness [full list of cities and their responses]. Only 11 police departments have policies that even purport to regulate the use of video surveillance. The ACLU sent Public Records Act requests to 131 jurisdictions statewide and received responses from 119 cities.

Source - California Progress Report



Includes a summary of the laws requiring SSN

http://www.pogowasright.org/article.php?story=20071201182253985

FTC Staff Issues Summary of Comments on Private-sector Use of Social Security Numbers

Saturday, December 01 2007 @ 06:22 PM EST Contributed by: PrivacyNews News Section: Fed. Govt.

The Division of Privacy and Identity Protection of the Commission’s Bureau of Consumer Protection has issued a summary of information it has obtained in preparation for an upcoming FTC workshop on private-sector use of Social Security numbers (SSNs).

[...] In July 2007, FTC staff invited interested parties to comment on the issues surrounding private sector usage of SSNs. More than 300 individuals and entities provided comments. The staff summary of the public comments and the information the staff obtained through its interviews can be found at: http://www.ftc.gov/bcp/workshops/ssn/staffsummary.pdf [pdf]

The issues will be addressed at an FTC workshop on December 10-11, 2007. More information about the workshop can be found at: http://www.ftc.gov/bcp/workshops/ssn/index.shtml.

Source - FTC Press Release



This is becoming a popular theme...

http://jurist.law.pitt.edu/monitor/2007/11/terror-presidency-duke-law-school.php

The Terror Presidency [Duke Law School]

Monday, November 12, 2007 9:43 PM ET

The Terror Presidency, Jack Goldsmith, Duke Law School, November 12, 2007 [discussing the legal issues raised by the Bush administration's approach to the war on terror]. RealPlayer, 1 hr. Watch recorded video.



Facts is facts

http://www.bespacific.com/mt/archives/016687.html

November 30, 2007

Immigrants in the United States, 2007

Center for Immigration Studies, Immigrants in the United States, 2007
A Profile of America’s Foreign-Born Population, November 2007
, Steven A. Camarota. "This Backgrounder provides a detailed picture of the number and socio-economic status of the nation’s immigrant or foreign-born population, both legal and illegal. The data was collected by the Census Bureau in March 2007. Among the report’s findings: The nation’s immigrant population (legal and illegal) reached a record of 37.9 million in 2007;Immigrants account for one in eight U.S. residents, the highest level in 80 years. In 1970 it was one in 21; in 1980 it was one in 16; and in 1990 it was one in 13...Since 2000, 10.3 million immigrants have arrived — the highest seven-year period of immigration in U.S. history. More than half of post-2000 arrivals (5.6 million) are estimated to be illegal aliens; The largest increases in immigrants were in California, Florida, Texas, New Jersey, Illinois, Arizona, Virginia, Maryland, Washington, Georgia, North Carolina, and Pennsylvania."



Interesting site that claims to have 11,421 journals online, but they also generate citations for each article. (Yes, It's a cite site!)

http://www.citeulike.org/news

Wednesday 31 October, 17:30

Copy-and-Paste formatted citations from CiteULike

We've added a new feature to format citations in some commonly-used bibliography styles. You should see a citation box on each article page, the contents of which can be copied and pasted into your word processor.

There's a drop-down menu which lets you choose which style you want. Currently this contains:

* Chicago

* Elsevier

* Harvard

* MLA

* Nature

* Oxford

* Science

* Turabian

* Vancouver

... although it's remarkably easy to add other formats on demand. If there's a particular journal style you need then please just drop us a note in the discussion forum and we'll do our best to add it.



Who funded this research? There are other body parts (and wholes) that I'd like to be paid to study.)\

http://digg.com/health/Staring_at_Boobs_Daily_Prolongs_Men_s_Life_by_5_Years_Science_says_so_WTF

Staring at Boobs Daily Prolongs Men's Life by 5 Years, Science says so WTF!

"Just 10 minutes of staring at the charms of a well-endowed female such as Baywatch actress Pamela Lee is equivalent to a 30-minute aerobics work-out," said author Dr. Karen Weatherby, a gerontologist. If only the women would co-operate in this noble endeavour to increase our lifespan...

http://news.softpedia.com/news/10-Minutes-Of-Staring-Boobs-Daily-Prolongs-Man-039-s-Life-by-5-Years-72490.shtml

[Of course it's phony, but the comments are amusing... Bob]