Tuesday, August 19, 2008

We just put the data any old place, and never bother checking for security...” Why would this data need to be on a web server in the first place?

http://www.pogowasright.org/article.php?story=20080819052417166

Student Files Are Exposed on Web Site

Tuesday, August 19 2008 @ 05:24 AM EDT Contributed by: PrivacyNews

The Princeton Review, the test-preparatory firm, accidentally published the personal data and standardized test scores of tens of thousands of Florida students on its Web site, where they were available for seven weeks.

A flaw in configuring the site allowed anyone to type in a relatively simple Web address and have unfettered access to hundreds of files on the company’s computer network, including educational materials and internal communications.

... One file on the site contained information on about 34,000 students in the public schools in Sarasota, Fla., where the Princeton Review was hired to build an online tool to help the county measure students’ academic progress. The file included the students’ birthdays and ethnicities, whether they had learning disabilities, whether English was their second language, and their level of performance on the Florida Comprehensive Assessment Test, which is given to students in grades 3 to 11.

Another folder contained dozens of files with names and birth dates for 74,000 students in the school system of Fairfax County, Va., which had hired the Princeton Review to measure and improve student performance. NY TImes

[Perhaps this is the original article: http://www.nytimes.com/2008/08/19/technology/19review.html?hp

... The Princeton Review said the student information should have been protected by a password, [i.e. Not really protected. Bob] but that the protection was most likely lost when the company moved its site to a new Internet provider in late June.

... One folder on the Web site gave unusual insight into how test preparation companies use older exams to prepare their practice tests. The folder contained digital scans of eight official SATs and six PSAT exams from 2005 through 2007. The tests are created by the Educational Testing Service, a nonprofit organization in Princeton, N.J.

... He said he would need more information to determine whether the Princeton Review had properly attained [interesting word choice... Bob] and used the exams.

The Web error indicates that the Princeton Review neglected several accepted online security practices.



Maybe Childs was right, no one else is competent!

http://weblog.infoworld.com/venezia/archives/018196.html

The Terry Childs case on pause, and an apparent new security issue for the city of San Francisco

August 15, 2008

... Childs still sits in jail, being blamed for the delay in San Francisco's planned expansion of their ShotSpotter service.

... Also, a reader hipped me to a very strange site. I won't release the URL here, since it appears to be part of a disaster recovery effort for the San Francisco IT department (DTIS).

... This site is not password protected. It's wide open. It's even in Google's cache.

... I thought that publishing VPN groupnames and passwords was an absurd example of incompetence, but if this site is for real, it's a tight race.



If I read this right, they are saying “We take data from many systems and match/combine/analyze it to identify threats. You can ask each of the (unidentified) providers for your data and correct it all you want, but the algorythm we use to produce the threat report is so embarrassingly bad we don't want you to even see the results.”

http://www.pogowasright.org/article.php?story=20080819050836249

Analysis tool exempt from some privacy laws

Tuesday, August 19 2008 @ 05:08 AM EDT Contributed by: PrivacyNews

People whose biographic or biometric data is being analyzed by a new Immigration and Customs Enforcement (ICE) data system will not automatically be granted access to their records or be able to review them for accuracy as usually permitted by federal privacy protection laws.

The Homeland Security Department has decided to exempt the Immigration and Customs Enforcement Pattern Analysis and Information Collection System (ICEPIC) -- which contains data culled from numerous DHS databases -- from several Privacy Act provisions that allow individuals to access their records. DHS, ICE’s parent organization, said in a final rule for the system published today in the Federal Register that the exemptions were necessary because of “criminal, civil, and administrative enforcement requirements."

Source - FCW



I have always relied on the ignorance of users.” Blanche DuBois

http://techdirt.com/articles/20080818/1153372012.shtml

Latest Sneaky Web Attack: Hijacking Your Clipboard To Post Spammy Links

from the now-that's-creative dept

Spammers and scammers keep upping the game against security researchers, sometimes in creative ways. And, in fact, it would appear that the latest sneaky trick making the rounds is almost admirable in its sneakiness. For example, take a look at this latest hack, which hijacks your clipboard, and repeatedly places a link to a site for fake security software. The hijack takes place through flash advertisements (even those found on legit sites), which is all the more reason to use AdBlock or FlashBlock or NoScript or something to protect you. However, what it's banking on, is the fact that plenty of people quickly cut and paste links they want to send around or post in other blogs and forums. When done quickly, many people won't even notice that they're not pasting the link they thought they cut from elsewhere -- thus getting lots of folks to inadvertently spam links. This must be incredibly annoying for those who get hit with it, but that doesn't take away from the creativeness of the attack itself. Even security researchers, like Mikko Hypponen, are grudgingly tipping their hats on this hack: "It is a pretty clever technique. Our work would be so much easier if our enemy would be stupid."



If enough RIAA members come to this conclusion, perhaps the madness will stop?

http://techdirt.com/articles/20080817/2249292000.shtml

More Media Companies Realizing That They Can Profit From 'Pirated' Content On YouTube

from the about-freakin'-time dept

Pretty much every day or so, we end up getting into a debate somewhere in the comments here on Techdirt concerning the rather important distinctions between "theft" and "copyright infringement." hile there are a bunch (the lack of a "loss" on the part of the owner being a big one), one important one is that you don't see anyone choosing on purpose to allow theft of their own products in order to boost their business -- yet, we see folks purposely choosing to allow copyright infringement to boost their own business models all the time.

In fact, the NY Times notes that a growing number of media companies have stopped sending takedown notices to YouTube, preferring to use the videos on YouTube as a part of their business model. Google has helped them out in this manner by allowing copyright holders to "claim" videos that they did not upload, and choose to share in the revenue created by ads, rather than requiring a takedown. Among those who have stopped doing takedowns entirely are CBS, Universal Music, Lionsgate and Electronic Arts. Universal Music is a bit surprising, given how it's been even more adamant than any of the other major record labels concerning how evil copyright infringement is. The NYT's is surprised by CBS's involvement, given that it's the sister company of Viacom, who is famously suing YouTube for $1 billion. Yet, CBS has always been much more open to YouTube, recognizing that if its shows were being uploaded, that was a sign of having a lot of fans, not something to be shut down.

The president of digital media at Lionsgate makes the point pretty clearly. saying that the company:

[Doesn't] like the idea of keeping fans of our products from being able to engage with our content. For the most part, people who are uploading videos are fans of our movies. They're not trying to be evil pirates, and they're not trying to get revenue from it."

If only others would recognize this simple fact. Of course, a good starting point would be recognizing that copyright infringement isn't "theft."



Corollary to the “Streisand Effect?”

http://techdirt.com/articles/20080818/0145542001.shtml

Be Careful What You Subpoena. It May Turn Up More Than You'd Like People To Know

from the oops dept

Remember the VC firm, EDF Ventures, which brought a lot more attention to a negative review on the website TheFunded.com by sending a subpoena to find out who wrote the negative review? Well, it turns out the decision keeps getting worse and worse. VentureBeat has the details that were turned up by the subpoena -- and the result is more details of the criticism, but no identifying information of the poster. Since TheFunded allows parts of comments to be public, with other parts designated as "members only," the subpoena has now made the "members only" content public, and it trashes the deal terms offered by the firm and criticizes a partner who has no operating experience. Also, the details suggest that this wasn't a spurned entrepreneur, but an adviser or partner in some manner. Either way, beyond drawing more attention to a negative review, now the firm has made public even more critical info.



Let's hope they don't print everything...

http://www.bespacific.com/mt/archives/019086.html

August 18, 2008

Digital Preservation Project for Government Web Pages of Bush Presidency

Project will preserve Bush administration Web sites, By Jill R. Aitoro: "More than 100 million Web pages from President Bush's second term will be preserved for historians, researchers and the public, thanks to a joint effort announced on Thursday of government agencies and non-profit libraries. The Library of Congress and Government Printing Office, in partnership with the California Digital Library, University of North Texas Libraries and Internet Archive, will harvest and archive all Web sites that could change under a new presidential administration. The total amount of data in the collection, which will focus on executive and legislative branch sites, is expected to reach 10 to 12 terabytes."



Wouldn't this type of project be as educational as writing a paper for the law school journal?

http://yro.slashdot.org/article.pl?sid=08/08/18/1436212&from=rss

Grokking SCO's Demise

Posted by CmdrTaco on Monday August 18, @01:00PM from the remember-that-one dept. Caldera The Courts Technology

An anonymous reader writes

"You have already heard the news that the SCO Group's US$5 billion threat against Linux is effectively finished. It was the Web site Groklaw.net that broke the news and posted the complete 102-page ruling; after that, it was picked up by mainstream media and trade press. In fact, it's Groklaw that has covered every aspect of SCO's legal fights with Linux vendors IBM , Novell and Red Hat and Linux users Daimler Chrysler and AutoZone ever since paralegal Pamela Jones started the site as a hobby in 2003. This feature does a great job [not really... Bob] of chronicling Groklaws' hand in the demise of SCO's case."



Lost opportunity

http://news.slashdot.org/article.pl?sid=08/08/18/1634257&from=rss

RIAA 'Elektra V. Barker' Case Is Settled

Posted by CmdrTaco on Monday August 18, @03:30PM from the are-we-there-yet dept. The Courts

NewYorkCountryLawyer writes

"Elektra v. Barker, one of the leading cases repudiating the RIAA's 'making available' theory, has been settled. Unlike in most cases, the actual settlement agreement (PDF) is on file with the Court, and a matter of public record. Now Ms. Barker's attack on the constitutionality of the RIAA's damages theory, as well as her other defenses — including unclean hands based on MediaSentry's illegal behavior, the RIAA's inability to sue for statutory damages, and innocent infringement — will not be adjudicated, and it will fall on the shoulders of other defendants to carry the day on those issues. Ms. Barker, a young social worker who lives in the Bronx, once told p2pnet "I love music. I grew up in a house where music was played all the time. We had milk crates filled with albums.... So to be sued for having music files on my computer is an insult. It's a slap in the face. This experience has left such a bad taste in my mouth that I wanted to swear off music.""



Might be an interesting exercise to link all of the laws and resources mentioned, sample notification letters, etc....

http://www.infoworld.com/article/08/08/18/34FE-data-breach-notification-laws_1.html?source=rss&url=http://www.infoworld.com/article/08/08/18/34FE-data-breach-notification-laws_1.html

What to do in the event of a data breach

A complex patchwork of disclosure laws awaits you. Know what is required of IT before disaster strikes

  • By Thomas J. Smedinghoff August 18, 2008


Related but broader

http://www.infoworld.com/article/08/08/18/34FE-data-security-legal-obligations_1.html

Data security: What the law requires of IT

IT's legal duty to secure sensitive data is complex and continuously evolving. Here's how to avoid the legal ramifications of a data breach

  • By Thomas J. Smedinghoff August 18, 2008

[Three part video on “reasonable Security”:

http://www.infoworld.com/video/Events/Security/What-the-Law-Requires---Part-1-of-3/video_1327.html?source=fssr [Duty to provide security? Bob]

http://www.infoworld.com/video/Events/Security/What-the-Law-Requires---Part-2-of-3/video_1328.html?source=fssr

http://www.infoworld.com/video/Events/Security/What-the-Law-Requires---Part-3-of-3/video_1329.html?source=fssr



Think of it as a checklist... Then ask yourself, “What's missing?”

http://www.bespacific.com/mt/archives/019085.html

August 18, 2008

UK National Risk Register

"The Government has published a National Risk Register which sets out our assessment of the likelihood and potential impact of a range of different risks that may directly affect the UK. The National Risk Register is designed to increase awareness of the kinds of risks the UK faces, and encourage individuals and organisations to think about their own preparedness. The register also includes details of what the Government and emergency services are doing to prepare for emergencies."



If the government mandates that detectors are to be built into our phones, would they also include a way to let us know? Probably not. False positives would induce panic and true positives would tip off the terrorists on their cell phones.

http://digg.com/gadgets/Using_Cell_Phones_to_Detect_Dirty_Bombs

Using Cell Phones to Detect "Dirty Bombs"

msnbc.msn.com — The fight against terror is shrinking. As science races to confront terrorism with new technology, researchers are unveiling a new generation of devices featuring ever-more sophisticated sensors to quickly detect explosives, radiation, chemicals and biological agents.

http://www.msnbc.msn.com/id/26044715/



Ooooh! I want one! Should make a great uninterruptible power supply! And I promise not to use it as a weapon. Unless my neighbor really irritates me.

http://hardware.slashdot.org/article.pl?sid=08/08/18/2353255&from=rss

Amateur Scientists Seek Fusion Reaction

Posted by kdawson on Monday August 18, @09:37PM from the things-that-hopefully-do-not-go-boom dept. Hardware Hacking Science

ElvaWSJ writes

"A small subculture of amateur physicists and science-fiction fans — fewer than 100 worldwide — are building working nuclear-fusion reactors at home. The designs are based on the work of Philo T. Farnsworth, an inventor of television, from the 1960s. Some of these hobbyists hope similar reactors can one day power the planet, but so far they consume more energy than they create."

No comments: