1) If you only improve your security, have you shifted the liability to others? 2) Is that a reasonable strategy or should “protecting our customers” be in there somewhere?
http://www.pogowasright.org/article.php?story=20080428071107198
(follow-up) Paying breach bill may not buy Hannaford full data protection
Monday, April 28 2008 @ 07:11 AM EDT Contributed by: PrivacyNews News Section: Breaches
Hannaford Bros. Co. said last week that it expects to spend "millions" of dollars on IT security upgrades in response to the the recent theft of up to 4.2 million credit and debit card numbers from its systems.
Some of the new measures that the grocer outlined go beyond the controls mandated by the Payment Card Industry Data Security Standard, or PCI. But it isn't clear whether they actually will address the issues that led to the data breach.
Source - Computerworld
[From the article:
Huguelet said that the planned end-to-end encryption of card data also sounds good — on paper. But to make the data hacker-proof, he added, it would have to be encrypted from the PIN entry devices in stores to the systems of the payment-processing firm that authorizes card transactions.
And because almost no payment processors accept encrypted data at this point, Hannaford would likely need to convince the firm it works with to make system changes as well.
Similarly, Hannaford's decision to replace all of its existing PIN entry devices puts it ahead of the curve in meeting a PCI mandate that companies must start using models with built-in support for Triple DES by July 2010.
But in most cases, the Triple DES technology encrypts only a customer's PIN, according to Huguelet. So even if Hannaford was already using such devices, it's unlikely that they would have prevented the card numbers from being compromised, he said.
Litan views Hannaford's plan to bolster its network defenses via the use of intrusion-prevention systems as another step in the right direction. But she said there are indications that the breach may have been the handiwork of a rogue insider — in which case the intrusion-prevention tools probably wouldn't have helped stop the attack.
...because...
http://www.pogowasright.org/article.php?story=20080428065836714
Data “Dysprotection:” breaches reported last week
Monday, April 28 2008 @ 07:10 AM EDT Contributed by: PrivacyNews News Section: Breaches
A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.
Source - Chronicles of Dissent
“Don't tell us what could go wrong, wait until the e-chad hang, then tell us what we could have done to prevent it...”
http://techdirt.com/articles/20080426/142226957.shtml
New Jersey Court Says Independent Investigators Can Review E-Voting Machines
from the protect-the-vote dept
Last month, e-voting firm Sequoia threatened both independent researchers and New Jersey election officials if those independent researcher were allowed to inspect Sequoia's e-voting machines. This seemed like a very odd threat for a variety of reasons. Why wouldn't Sequoia want its machines inspected? The very fact that it was threatening legal action seemed like grounds to simply never use Sequoia e-voting machines. Sequoia claimed that existing inspections were enough, despite a history of problems in those inspections. Furthermore, Sequoia's own explanations for the problems with its machines in the primary elections this year were wrong. Ed Felten found that Sequoia's explanations didn't actually explain many of the problems. Unfortunately, though, with the threat of legal action, New Jersey agreed not to have Felten test the machines.
However, a New Jersey state judge has now ruled that it's perfectly reasonable for independent inspectors to review the machines. Unfortunately, she pushed back the date for such inspections until September, meaning that it won't affect this year's presidential election -- which will still use machines that may have problems. So while Sequoia didn't succeed in stopping independent examination of its machines, it did stall the process long enough so that the existing machines will stay in use for this year's elections -- despite the long list of problems that have been discovered with them. Apparently, we're still in beta when it comes to democracy.
Do they “get it?”
Users Demand Expertise at How-To Web Sites
Article Tools Sponsored By By BOB TEDESCHI Published: April 28, 2008
IF the Internet can make anyone a star, can it turn Barnes & Noble into one, too?
The bookseller has taken another step beyond its traditional business into the online publishing world, recently introducing Quamut.com, a site that teaches Web users things as diverse as the basics of football and how to build a Web site.
... Quamut differentiates itself from the long list of how-to sites like eHow, HowStuffWorks.com and, to a lesser degree, About.com (which is owned by The New York Times Company), with a somewhat novel twist: selling downloadable documents of its otherwise free content.
Some “expertise” isn't fully appreciated...
http://www.bespacific.com/mt/archives/018198.html
April 27, 2008
EU Backs Criminalizing Posting Bomb Making Instructions on Web
European Digital Rights: "The European Ministers of Justice and Internal Affairs have agreed to make publishing bomb-making instructions on the Internet a crime...Justice and interior ministers from the EU member states backed a proposal from Commissioner Frattini to harmonise the normative acts that will make the "public provocation to commit a terrorist offence, recruitment, and training for terrorism" a crime. According to the statements of the EU officials publishing these acts on the Internet completed the European legislation in this domain. They described the Internet as "a virtual training camp for militants, used to inspire and mobilise local groups." Gilles de Kerchove, the EU anti-terrorism co-ordinator, declared that there are approx. 5,000 websites that are used to radicalise young people."
Council of Europe: Why terrorism? Addressing the Conditions Conducive to the Spread of Terrorism, Strasbourg, 25-26 April 2007, Conclusions
EU Project on Cybercrime: Guidelines for the cooperation between law enforcement and internet providers against cybercrime, April 2, 2008 (provisional)
Interesting talk at the Berkman Center
http://tech.slashdot.org/article.pl?sid=08/04/27/1422258&from=rss
Mining the Cognitive Surplus
Posted by kdawson on Sunday April 27, @02:28PM from the looking-for-the-mouse dept.
Clay Shirky has been giving talks on his book Here Comes Everybody — his "masterpiece," per Cory Doctorow — and BoingBoing picks up one of them, from the Web 2.0 conference. Shirky has come up with a quantification of the attention that TV has been absorbing for more than half a century. Shirky defines as a unit of attention "the Wikipedia": 100 million person-hours of thought. As a society we have been burning 2,000 Wikipedias per year watching mostly sitcoms. We're stopping now. Here's a video of another information-dense Shirky talk, this one at Harvard.
Another column on e-discovery, with some interesting links...
http://ralphlosey.wordpress.com/2008/04/26/e-discovery-at-the-harvard-club-in-new-york-city/
e-Discovery at the Harvard Club in New York City
[I had never heard of the Legal Electronic Document Institute for instance http://www.gulfltc.org/ Bob]
I wonder if anyuone in Congress has heard of these?
http://blog.lib.umn.edu/lawlib/lexlibris/2008/04/congressional_research_video_t.html
Congressional Research: Video Tutorials
The University of California at Berkeley has created several video tutorials that demonstrate how to do Congressional research in the following areas, each of which is highly useful for law students:
Finding bills and Congressional debates from 1989 forward on Thomas
Finding a Congressional report on LexisNexis Congressional
Finding debates from 1873 to the present in print in the Congressional Record.
Note that the video tutorials last from two to five minutes apiece, and that they require Macromedia’s Flash player to be installed on your computer.
Sometimes it's hard to tell the difference between good legal research and great legal research. Here is one or the other from Stephen Rynerson
http://www.bbspot.com/News/2008/04/top-11-privacy-policy.html
Lines You Don't Want to See in a Privacy Policy
11. No one will have access to your data, not even my brother-in-law in the Russian mafia.
10. We collect personal information including pages visited and time spent on pages. Also a man will be around tomorrow to collect your fingerprints, a vial of urine and a DNA sample.
9. Sharing is caring. We care about your privacy.
8. We do not ask children under 13 for personal information, but we wouldn't mind if they sent us pictures.
7. Your credit card information will be securely stored using our patented ROT-26 encryption.
6. We reserve the right to use any pictures we may have obtained from your unsecured webcam.
5. We limit access to your personal information to anyone in our company with a computer and an Internet connection.
4. We will not sell your personal information unless offered money for it.
3. Just because we don't share your private information doesn't mean our spyware won't.
2. If an employee from our company shows up at your door with flowers, he certainly didn't get the information from us.
1. We're doing a heckuva job protecting your privacy.
No comments:
Post a Comment