Half truths or just the truth from various perspectives?
http://www.pogowasright.org/article.php?story=20080414172247619
NC: Computer Containing Test Scores Missing From School
Monday, April 14 2008 @ 05:22 PM EDT Contributed by: PrivacyNews News Section: Breaches
A school computer containing the names, test scores and Social Security numbers of students from three Stokes County high schools was stolen from a locked closet, authorities said.
The school system sent home a letter to parents last week notifying them of the theft, which affected between 400 to 800 students at West, South and North Stokes high schools.
.... "All information stored on the computer is protected by two separate security systems, each of which requires a password," [Translation: The data was not encrypted... Bob] the letter stated.
Source - WXII12.com
[From the article:
... a teacher notified us that she had misplaced (the) laptop computer," [Note that they state the computer was stolen AND misplaced. Try not to contradict yourself in the same breath – it lowers your credibility. Bob] said school system superintendent Dr. Stewart Hobbs.
All the news that didn't fit...
http://www.pogowasright.org/article.php?story=200804141500555
Data “Dysprotection:” breaches reported last week
Monday, April 14 2008 @ 03:00 PM EDT Contributed by: PrivacyNews News Section: Breaches
The weekly recap is now online in its usual place, thanks to my favorite redneck who figured out a workaround for WordPress's buggy code. If you didn't read this site over the weekend, do read the recap as there were a number of newly reported breaches over the weekend.
Source - Chronicles of Dissent
Doesn't this give you a warm, fuzzy feeling?
http://www.phiprivacy.net/?p=238
Apr-14-2008
Hospitals often fail to notify patients of data breaches
Jon Brodkin of Network World writes:
If your medical records were exposed in a security breach, would you expect the hospital to tell you? You shouldn’t. Because of regulatory loopholes, only 56% of healthcare organizations that have exposed medical records notified the patients involved, survey results issued this month found.
“There are loopholes in almost every law regulating patient data management, including the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act of 2002 (SOX), and Payment Card Industry Data Security Standards (PCI DSS) that have enabled breach cases to go unreported, preventing an accurate report on frequency,” says the 2008 HIMSS Analytics Report: Security of Patient Data, commissioned by Kroll Fraud Solutions.
The loopholes allow hospitals to cite “reasonable efforts,” “acceptable measures,” and similarly vague language to avoid notifying patients, the report states.
More than 1.5 million names were exposed in data breaches occurring in hospitals in 2006 and 2007, according to data cited by HIMSS Analytics.
Full story - Network World
Comment: I haven’t yet had time to read the HIMSS Analytics report in its entirety, but that 1.5 million number is something that I can comment on now. The study seemed to rely on Attrition.org’s DataLoss project. Because of Attrition’s focus and inclusion criteria, they do not include many small breaches that this site includes in our reports and analyses. There are many breaches due to insider theft of information or insider misdoing that never get included in Attrition.org’s figures. Similarly, Attrition.org does not indicate in their database whether the names and details exposed in a hospital breach are those of employees or of patients.
If you look at this site’s Chronology of Breaches for 2006 and for 2007 (both .pdf), you will only see hospitals listed if the breach affected patient data. And if we only look at patient data, then the statistic relating to hospital breaches drops to probably under 800,000 for 2006 and 2007. Of course, the chronologies only include cases or stories that were reported in the media or that we uncovered via disclosures to states attorney general, etc. The HIMSS Analytics report may reflect data or incidents never reported in the media.
No matter what source one uses, we are still only seeing the tip of the iceberg, and I agree with the overall conclusion that patients are not being notified enough.
[Free copy of the report (requires registration)
http://www.krollfraudsolutions.com/about-kroll/HIMSS-Patient-Data-Security-Study.aspx
Do we does or do we doesn't got privacy?
http://www.pogowasright.org/article.php?story=20080414115135288
Agent's case might unveil privacy issues
Monday, April 14 2008 @ 11:51 AM EDT Contributed by: PrivacyNews News Section: Fed. Govt.
Last week's acquittal of an immigration agent accused of improper use of a criminal database has raised concerns about privacy.
Supporters of agent Cory Voorhis believe that his actions justified the means in that he exposed an unpopular practice — plea deals for legal and illegal immigrants.
Voorhis, 39, was charged in U.S. District Court with misdemeanor counts of improperly accessing the National Crime Information Center database and turning over information to the Bob Beauprez for Governor campaign.
The information was later used in a political ad against Bill Ritter, who still won the 2006 election.
But others wonder if Voorhis' decision to turn over records to a political campaign opens the door to more breaches of personal information.
Source - Denver Post hat-tip, Flying Hamster
[From the article:
But others wonder if Voorhis' decision to turn over records to a political campaign opens the door to more breaches of personal information.
"Then what happens if the data is about your granddaughter? That makes people think a few more times," said John Soma, a University of Denver law school professor and executive director of the Privacy Foundation. "At least from the privacy world, this is a major concern. If this guy walks, is your data basically unprotected?
How they do it down under...
http://www.pogowasright.org/article.php?story=20080415064830431
AU: Draft guidelines issued for reporting of data breaches
Tuesday, April 15 2008 @ 06:48 AM EDT Contributed by: PrivacyNews News Section: Breaches
The Australian Privacy Commissioner Karen Curtis is seeking feedback from the businesses community in response to the release of a draft Voluntary Information Security Breach Notification Guide Tuesday.
Currently there are no specific requirements under the Privacy Act for organizations to notify individuals of an information security breach.
However, a proposal to make notification of information security breaches mandatory is being considered by the Australian Law Reform Commission (ALRC) as part of a national privacy review.
Source - The Industry Standard
Related: Draft Voluntary Information Security Breach Notification Guide: html pdf doc
Related - Commissioner's Press Release
Perhaps the cell phone companies will lobby to make this mandatory?
http://www.bespacific.com/mt/archives/018100.html
April 14, 2008
FCC Adopts Rules for Delivery of Commercial Mobile Alerts to the Public During Emergencies
News release: "The Federal Communications Commission (FCC)... adopted a First Report and Order (Order) that will support the ability of the nation’s wireless carriers to transmit timely and accurate alerts, warnings and critical information to the cell phones and other mobile devices of consumers during disasters or other emergencies. In compliance with the Warning, Alert and Response Network Act (WARN Act), the Order adopts relevant technical requirements based on the recommendations of the Commercial Mobile Service Alert Advisory Committee (CMSAAC) for the transmission of such emergency messages to the public. During emergencies, Americans increasingly rely on wireless telecommunications services and devices to receive critical, time-sensitive information anywhere, anytime. Once fully implemented, the Commercial Mobile Alert System (CMAS) will help ensure that Americans who subscribe [currently “opt in” Bob] to participating wireless services receive emergency alerts when there is a disaster or emergency that may impact their lives or well-being."
Related. Will students be required to purchase a cell phone if they don't have one?
http://www.pogowasright.org/article.php?story=20080414134509199
Privacy, security concerns? When colleges require your cellphone number to register for classes
[Update2] Monday, April 14 2008 @ 01:45 PM EDT Contributed by: PrivacyNews News Section: Minors & Students
PogoWasRight.org editor's note: the following blog is not one of our usual sources, but is included because it contains correpondence from the university and discussion by students of policies that some may view as a privacy issue:
Check out this bureaucratic bullshit. My wonderful school, NYU, now requires students surrender their cellphone number in order to register for Fall classes. It’s all in the name of safety, of course, as are most attacks on liberty. Think of the children, we’re only protecting you, etc.
I’ve included the full text of the e-mail, if you’re so inclined.
Source - CrunchGear blog
Tools & Techniques Once they have this information, I suspect they will find a way to make it generate revenue.
Tracking device on bins ensures residents chip in
Jano Gibson, Urban Affairs Reporter April 14, 2008
Bin Brother is watching you.
When Randwick City Council began replacing its 78,000 residential garbage and recycling bins last month, a resident, Dan Himbrechts, scratched his head. Why get rid of old ones that seemed to work perfectly well?
His suspicions grew further when he noticed a small, flat, circular object hidden under the rim of his new bin. About the size of a 10-cent coin, it had the letters "TI-RFid" embossed on it.
... Both councils have waste collection contracts with WSN Environmental Solutions, a state-owned company whose garbage trucks are able to weigh bins as they are unloaded onto the truck.
The bin weight is then linked to residents' addresses by way of the devices, which transmit unique identification codes to receivers on the trucks.
... But the councils insist they are not spying on their residents' waste habits, or planning to use the technology to increase waste levies in the future.
They say they are using the data to help identify areas where people are not recycling enough. [Either you will be 'fined' or Al Gore will picket your house. Bob]
This compliments David Paul's assertion (Computer and Dynamo: The Modern Productivity Paradox in a Not-Too-Distant Mirror)that it take 20 years for industry to start using technology to the full.
http://hbswk.hbs.edu/item/5912.html
An Exploration of Technology Diffusion
Authors: Diego A. Comin and Bart Hobijn
Abstract
... Our results reveal that, on average, countries have adopted technologies 47 years after their invention. There is substantial variation across technologies and countries. Over the past two centuries, newer technologies have been adopted faster than old ones. The cross-country variation in the adoption of technologies accounts for at least a quarter of per capita income differences.
Download the paper: http://www.hbs.edu/research/pdf/08-093.pdf
This is a bit complicated, but briefly it means that if you use Gmail and you store your login information in a cookie (enters your userid and password for you) I can steal that cookie and access all of your data on any Google app. (Known since at least 2004)
http://www.news.com/8301-10789_3-9918582-57.html?part=rss&subj=news&tag=2547-1_3-0-5
Gmail cookie stolen via Google Spreadsheets
Posted by Robert Vamosi April 14, 2008 3:24 PM PDT
Security researcher Bill Rios reported Monday that a cross-site scripting (XSS) attack against Google Spreadsheet could have exposed all of Google's services. XSS can occur whenever a legitimate site accepts input from the user but does not filter that input properly and could allow the injection of potentially malicious instructions. In this case, however, once an attacker gained access to any xxxx.google.com site, they would have access to other Google services, such as Gmail, Docs, and Code.
[The paper:
http://www.leviathansecurity.com/pdf/Flirting%20with%20MIME%20Types.pdf
This might be of interest to your Security team and your Lawyers...
http://www.technewsworld.com/rsstory/62584.html
Mid-Sized Businesses and the Quest for Compliance
By Jack M. Germain E-Commerce Times Part of the ECT News Network 04/15/08 4:00 AM PT
Large enterprises have teams of IT admins to tackle the big task of compliance with regulations like HIPAA, SOX and PCI DSS. Mid-sized firms, however, have plenty of records to account for but not as many resources to do the accounting. Some simply resign themselves to penalties if and when they're ever audited. Some software makers, however, are beginning to address the niche.
The most ambitious project I've seen, but the concept does not require AI and many computers, just an idea and basic search skills.
He Wrote 200,000 Books (but Computers Did Some of the Work)
By NOAM COHEN Published: April 14, 2008
... But these are not conventional books, and it is perhaps more accurate to call Mr. Parker a compiler than an author. Mr. Parker, who is also the chaired professor of management science at Insead (a business school with campuses in Fontainebleau, France, and Singapore), has developed computer algorithms that collect publicly available information on a subject — broad or obscure — and, aided by his 60 to 70 computers and six or seven programmers, he turns the results into books in a range of genres, many of them in the range of 150 pages and printed only when a customer buys one.
... “If you are good at the Internet, this book is useless,” he said, adding that Mr. Pascoe simply should not have bought it. But, Mr. Parker said, there are people who aren’t Internet savvy who have found these guides useful.
... Mr. Parker compares his methods to those of a traditional publisher, but with the computer simply performing some of the scut work. In an explanatory YouTube video, Mr. Parker shows a book being created.
For my web site students – and anyone with something to say.
http://www.cnet.com/8301-13505_1-9918865-16.html?part=rss&subj=news&tag=2547-1_3-0-5
Open sourcing Web video with Kaltura
Posted by Matt Asay April 14, 2008 9:33 PM PDT
There used to be a time when proprietary "Internet TV platform" providers Brightcove and Maven used to sleep soundly at night....
That was life Before Kaltura (BK).
Kaltura is an open-source "video application server," and has been getting tremendous press. After spending a half-hour on the phone with co-founder Shay David today, I can see why. This is such a cool open-source opportunity:
Kaltura's open source platform enables any site to seamlessly and cost-effectively integrate advanced interactive rich-media functionalities, including video searching, uploading, importing, editing, annotating, remixing, and sharing. Kaltura' goal is to bring interactive video to every site and to create the world's largest distributed video network.
... Interested? You can download Kaltura's GPL code on Sourceforge, and give it a spin here.
No comments:
Post a Comment