Wednesday, August 06, 2008

Well, well, well. It looks like yesterday's FTC Consent Order was issued just in time (I sure it was pure coincidence). But an entirely new thread of the story begins. Let's see if TJX has been truthful in it's (very limited) disclosures.

http://www.pogowasright.org/article.php?story=2008080512390562

U.S. charges 11 in theft of TJX customer data

Tuesday, August 05 2008 @ 12:39 PM EDT Contributed by: PrivacyNews

The U.S. Justice Department said on Tuesday it has charged 11 people in the theft of tens of millions of credit and debit card numbers of customers shopping at major U.S. retailers, including TJX Cos Inc.

The U.S. Attorney in Boston said those charged were involved in the theft of more than 40 million credit and debit card numbers.

Source - Reuters

[From the article:

The U.S. Attorney in Boston said those charged were involved in the theft of more than 40 million credit and debit card numbers from retailers that included: BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW Inc. [Maybe things aren't as resolved as I had assumed. TJX alone lost 95 million card numbers. (The article says 45.7 but that was only the initial number reported) This looks like a small fraction, suggesting there was at least one other hacker. Bob]

The charges target three people from the United States, three from the Ukraine, two from China, one from Estonia and one from Belarus. [The Internet facilitates “Virtual Gangs” as easily as it does any collaborative project. Bob]

Gonzalez, who is being held by New York authorities on another computer hacking-related charge, was charged with computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy, authorities said.

He faces life in prison if convicted of all charges. [What does that work out to be on a “per card” or “per dollar” basis? Bob]


Related

http://www.pogowasright.org/article.php?story=20080805134023575

Remarks Prepared for Delivery by Attorney General Michael B. Mukasey at the Identity Theft Press Conference

Tuesday, August 05 2008 @ 01:40 PM EDT Contributed by: PrivacyNews


Seems related, but no idea what letters they are talking about. TJX sent letters only to those whose drivers licenses were compromised if I recall correctly. Are these new victims?

http://www.13wham.com/news/local/story.aspx?content_id=c92b27b9-4353-4552-9763-df98e1050f9a

Identity Theft Victim Letters Go Out

Last Update: 7:10 am

(Washington) -- On Tuesday, notices go out to people whose identities have been compromised in a huge computer hacking case.


Ignorance is bliss, but sometimes confusing... This from a sidebar article:

http://www.abcnews.go.com/WN/story?id=5520436&page=1

Online Fraud: How to Identify It and Fight Back

Tips on How to Recognize Fraud and Protect Yourself

August 5, 2008

[From the caption:

According to a federal investigation, conspirators of a retail identity theft ring used blank magnetic strips to withdraw thousands of dollars from people's bank accounts at ATM machines. [I have to assume the crooks write the stolen data onto the blank stripes. No ATM would be that easy to hack... Would they? Bob]



After praising Anheuser-Busch for encrypting their data, now I wonder what else they haven't disclosed...

http://www.pogowasright.org/article.php?story=20080805143859198

150,000 hit by brewer data theft (A-B update)

Tuesday, August 05 2008 @ 02:38 PM EDT Contributed by: PrivacyNews

About 150,000 people in the US have been affected by the theft of laptops with personal information about current and former employees of brewing giant Anheuser-Busch.

A letter sent by the St Louis, Missouri-based brewer to the Florida Attorney General's Office said the laptops, stolen in June, contained personal information on nearly 87,500 residents, including current and former employees, and more than 3,000 people involved in employee assistance programmes, either as recipients or providers.

The state of California was notified that nearly 55,000 of its residents were affected, said Abraham Arredondo, a spokesman for the attorney general's office there.

In all, residents in at least six states: Florida, New Hampshire, Virginia, Missouri, Texas and California are involved.

Source - The Press Association

Comment: it always seem worse when the entity isn't forthcoming about numbers and people find out from required disclosures to states attorney general. Hopefully the day will come when companies just tell us straight out what the numbers are. -- Dissent. .


Oops, they did it again... “I'll see your 150,000 victims and raise you 40,000” Any other bidders?

http://www.pogowasright.org/article.php?story=20080806061523618

Data for over 190,000 at risk (A-B update)

Wednesday, August 06 2008 @ 06:25 AM EDT Contributed by: PrivacyNews

The number of people nationwide affected by the theft of laptops with personal information about current and former employees of Anheuser-Busch Cos. Inc. has grown to more than 190,000.

About 45,000 people in Virginia have been affected, an increase from previous estimates of 2,250, said J. Martin Tucker, a spokesman for the attorney general's office on Tuesday.

Source - Chicago Tribune



Tools and Techniques: How the big boys do it.

http://www.pogowasright.org/article.php?story=2008080600104682

Russian Gang Hijacking PCs in Vast Scheme

Wednesday, August 06 2008 @ 06:25 AM EDT Contributed by: PrivacyNews

A criminal gang is using software tools normally reserved for computer network administrators to infect thousands of PCs in corporate and government networks with programs that steal passwords and other information, a security researcher has found.

... The system infects PCs with a program known as Coreflood that records keystrokes and steals other information. The network of infected computers collected as much as 500 gigabytes of data in a little more than a year and sent it back to the Wisconsin computer center, Mr. Stewart said.

... As part of his investigation, Mr. Stewart charted the rate of computer infections at a state police agency and a large hotel chain. Both were victims of an outbreak that began after the gang obtained the password and login information of their network administrators. In both cases hundreds or thousands of computers were infected within minutes or hours.

Source - NY Times

[From the article:

One of the unique aspects of the malicious software is that it captures screen information in addition to passwords, according to Mark Seiden, a veteran computer security engineer. That makes it possible for gang members to see information like bank balances without having to log in to stolen accounts. [Why waste time on the small accounts? Bob]



Gee, we can feel confident again! The people who are doing background check used their incredible research powers to find the laptop that was under their noses the entire time. Or was it? Again, if I wanted to slip by TSA security, putting my name (or alias) on the database of “not second-class citizens” would certainly help.

http://www.pogowasright.org/article.php?story=20080805134446827

SFO: Laptop reported stolen from airport found

Tuesday, August 05 2008 @ 01:44 PM EDT Contributed by: PrivacyNews

A laptop that contains the personal information of some 33,000 customers of an airport fast-pass program was found this morning after being reported stolen from San Francisco International Airport on July 26, a spokeswoman for the company that runs the program said.

Allison Beer, a spokeswoman for Verified Identity Pass Inc., said the laptop was found this morning in the same secured room at the airport that it went missing from and that officials are working to determine whether any of the data was compromised.

Officials are also investigating the circumstances surrounding the laptop's reappearance, she said.

Source - CBS5.com



http://techdirt.com/articles/20080805/1408171898.shtml

A Lot More At Stake In TorrentSpy vs. MPAA Email Snooping Lawsuit

from the wiretapping-laws dept

For a few years now, we've been covering the battle between TorrentSpy and the MPAA. While TorrentSpy has given in and shut down on the question concerning the operations of its business, there was a separate legal question that is still being fought in court. As we noted recently, TorrentSpy has appealed the judge's ruling that the MPAA didn't break any laws in gaining access to its executives' emails. As you may recall, the MPAA hired a guy who hacked into TorrentSpy's servers to send copies of all the emails to himself first, which he then sold to the MPAA (he later regretted this decision and confessed to TorrentSpy, which is what resulted in the lawsuit in the first place). When the issue first came up in court, the MPAA played dumb, and pretended that it assumed the guy had legal access to the emails.

While this may seem like just a straight privacy case, the EFF, along with the ACLU and others, have filed a brief noting that there's much more at stake here. Specifically, the EFF is concerned that the court ruled that since the email messages were not technically "intercepted" under the wiretap act, due to the fact that the emails were stored, however briefly, on a mail server before they were copied and re-forwarded. In other words, as the EFF points out, if you have access to any server that handles a message as it travels across the internet, it's not "intercepted" for you to read that message. That has huge and very dangerous implications for any sort of internet wiretapping -- suggesting that as long as the government routed all communications through its own machines, it could read everything without a warrant. This case is about a lot more than a BitTorrent tracker battling the MPAA.



Apparently I need to take a legal research class, I couldn't find their definition of “online merchant.” Do they mean someone like Amazon or e-Bay or it is broad enough to include a business that has a “storefront” on the Internet but still has 200 transactions a year?

http://www.pogowasright.org/article.php?story=20080805174019290

Housing bill raises tax, fingerprint privacy concerns

Tuesday, August 05 2008 @ 05:40 PM EDT Contributed by: PrivacyNews

The whopping housing bill that President Bush signed into law last week does far more than merely address the nation's real estate woes. Some sections have raised serious privacy concerns.

Tucked in near the end of the Housing and Economic Recovery Act is a requirement that banks and online payment networks annually collect and report to the IRS electronic payments made to online merchants. It takes effect in 2011, and will affect what information companies like PayPal collect from their sellers and could raise privacy and auditing complications.

Source - C|net

[From the article:

The housing bill also finalized the SAFE Mortgage Licensing Act. As CNET News.com previously reported, the provision creates a national fingerprint registry of "loan originators"--essentially anyone involved in the mortgage industry.



E-Discovery: An interesting discussion of the technology used to identify users when dynamic addressing is used.

http://news.slashdot.org/article.pl?sid=08/08/06/0224238&from=rss

Tufts Tells Judge, We Can't Tie IP To MAC Addresses

Posted by kdawson on Wednesday August 06, @05:21AM from the we're-cooperatin'-here dept. The Courts

NewYorkCountryLawyer writes

"Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."



Looks like an attendee shot this video, but still worth viewing. Any organization should have a “wish list” and someone who evaluates current events to see when parts (or all) of the list has a chance of being implemented... (I wish every seminar did this.)

http://news.slashdot.org/article.pl?sid=08/08/05/220229&from=rss

Lessig Predicts Cyber 9/11 Event, Restrictive Laws

Posted by kdawson on Tuesday August 05, @06:56PM from the waiting-for-the-other-shoe dept.

A number of readers are sending in links to a video from the Fortune Brainstorm Tech conference last month, in which Lawrence Lessig recounts a conversation over dinner with Richard Clarke, the former government counter-terrorism czar. Remembering that the Patriot Act was dropped on Congress just 20 days after 9/11 — the Department of Justice had had it sitting in a drawer for years — Lessig asked Clarke if DoJ had a similar proposed law, an "i-Patriot Act," to drop in the event of a "cyber-9/11." Clarke responded, "Of course they do. And Vint Cerf won't like it." Lessig's anecdote begins at about 4:30 in the video.



Seems like political balderdash to me. If the payroll system was programmed to even a moderate level of competence the problems described wouldn't be possible. Perhaps they should outsource the state's payroll – allowing them to save even more money by firing the entire payroll department! (I'll send Arnold an e-mail)

http://developers.slashdot.org/article.pl?sid=08/08/05/1816206&from=rss

California Can't Perform Pay Cut Because of COBOL

Posted by kdawson on Tuesday August 05, @02:41PM from the handwaving-only-gets-you-so-far dept. Programming Government The Almighty Buck

beezzie writes

"Last week, California Governor Arnold Schwarzenegger ordered a pay cut, to minimum wage of $6.55/hr,, for 200,000 state workers because a state budget hadn't been approved yet. The state controller, who has opposed the pay cut on principle and legal grounds, now says the pay cut isn't even feasible because the state's payroll systems are so antiquated. He says it would take 6 months to go to minimum wage, and 9 months more to restore salaries once a budget is passed. The system is based on COBOL, according to the Sacramento Bee, and the state hasn't yet found the funds or resources, in 10 years of trying, to upgrade it."

The article quotes a consultant on how hard it is to find COBOL programmers; he says you usually have to draw them out of retirement. Problem is, if there were any such folks on the employment rolls in California, Gov. Schwarzenegger fired them all last week, too.

[From the article:

Forrer said the system has tens of thousands of lines of code, so it is time-consuming to find and replace salaries for each job classification on an individual basis. [Anyone who programs variable data like pay rates into the program code (rather than an external table) should be shot. Bob]



Inevitable...

http://science.slashdot.org/article.pl?sid=08/08/05/1830233&from=rss

Your Medical Treatment History Is For Sale

Posted by kdawson on Tuesday August 05, @03:32PM from the slippery-cliff dept. Privacy Medicine

PizzaFace writes

"The Washington Post reports on the booming business of selling your medical treatment records. Today these are mainly records of your prescriptions, but the data warehouses will soon have records of your lab tests, too. The companies selling these records make it easy for insurance companies to avoid risk by assigning each person a health score, similar to a credit score, or by flagging items in each person's history that suggest chronic or potentially expensive health problems. It's not just for insurers, either; employers who check applicants' credit scores will surely be interested in their health scores as well."




This is one of them thar “Slippery Slopey Thangs.” Rather than set a Maximum, let's call it a minimum and then never exceed it! And it reduced competitive pressure, since we can all say “my minimum is just as good as your minimum...

http://arstechnica.com/news.ars/post/20080804-google-backs-isp-guaranteed-minimum-data-rates.html

Google backs ISP-guaranteed minimum data rates

By Nate Anderson | Published: August 04, 2008 - 10:39PM CT



Blood in the water always attracts sharks

http://linux.slashdot.org/article.pl?sid=08/08/05/2310205&from=rss

IBM Pushing Microsoft-Free Desktops

Posted by kdawson on Tuesday August 05, @07:50PM from the straight-for-the-jugular dept.

walterbyrd and other readers are sending along the news that IBM is partnering worldwide with Canonical/Ubuntu, Novell, and Red Hat to offer Windows-free desktop PCs pre-loaded with Lotus software and ready for customizing by local ISVs for particular markets. The head of IBM's Lotus division is quoted: "The slow adoption of Vista among businesses and budget-conscious CIOs, coupled with the proven success of a new type of Microsoft-free PC in every region, provides an extraordinary window of opportunity for Linux." One example of the cooperation:

"Canonical, which sells subscription support for Ubuntu, a Linux operating system that scores high marks on usability and 'the cool factor,' will re-distribute Lotus Symphony via their repositories. Symphony 1.1 will be available through the Ubuntu repositories by the end of August."



Thank god someone invented this technology! Where would the free world be without it!

http://yro.slashdot.org/article.pl?sid=08/08/05/2220242&from=rss

IBM Granted "Paper-or-Plastic?" Patent

Posted by kdawson on Wednesday August 06, @02:46AM from the not-the-onion dept. Patents IBM

theodp writes

"On Tuesday, IBM was granted US Patent No. 7,407,089 for storing a preference for paper or plastic grocery bags on customer cards and displaying a picture of said preference after a card is scanned. The invention, Big Blue explains, eliminates the 'unnecessary inconvenience for both the customer and the cashier' that results when 'Paper or Plastic?' must be asked. The patent claims also cover affixing a cute sticker of a paper or plastic bag to a customer card to indicate packaging preferences. So does this pass the 'significant technical content' test, IBM'ers?"



Geeky hacker stuff

http://www.desktoplinux.com/news/NS6100424493.html?kc=rss

WiFi software arrives on Linux desktops

Aug. 05, 2008

A vendor of Linux-based WiFi arrays is finally releasing a version of its WiFi Monitor utility for Linux desktops. The open source, widget-like Xirrus WiFi Monitor for Linux enables users to monitor, secure, and troubleshoot WiFi networks, says Xirrus.

WiFi Monitor has been available as a free utility for Windows Vista, Windows XP, and MacOS platforms for some time, and has been downloaded a half million times, claims Xirrus.



I love lists! Ones that point to interesting data in particular.

http://en.oreilly.com/oscon2008/public/schedule/proceedings

Presentation Files

Open Source Presentations From OSCon


Ditto

http://www.junauza.com/2008/08/5-known-office-suites-for-linux.html

5 Known Office Suites for Linux

Tuesday, August 5, 2008



An interesting business model to add to my collection...

http://www.killerstartups.com/Search/moneybackjobs-com-get-money-for-taking-jobs

MoneyBackJobs.com - Get Money For Taking Jobs

Imagine a world where you can get money by just accepting a job. That might sound farfetched to some, but that is what Moneybackjobs.com is all about. Like in any other job search site, you’ll be able to find jobs posted on there. The catch is, that once you accept a job you found through the site, you’ll get up to 7.5% of your first month’s salary as a hiring bonus. This allows employers who post jobs up on the site to quickly find people to take them. It also allows the site to control how many people are actually finding jobs through them. [and receive extra compensation for it Bob] Companies can pay the site to feature them on it. Basically, by giving the job applicant money once he or she accepts the job, they make sure that the company that just hired you pays them for the job. It’s a surprisingly simple concept that works for everybody.

http://www.moneybackjobs.com/



Hacking on the “Dark Side”

http://arstechnica.com/news.ars/post/20080805-high-tech-peeping-tom-rigged-laptop-webcam-to-snap-nude-pics.html

High-tech Peeping Tom rigged laptop webcam to snap nude pics

By Jacqui Cheng | Published: August 05, 2008 - 01:38PM CT

... Her friends recommended going to a student at the University of Florida who was known for his computer-fixing skills, 23-year-old Craig Matthew Feigin. She left the machine with him overnight and went on her way—until she noticed her computer having new issues several weeks later. In addition to reduced battery life, Garcia told the Gainesville Sun that her laptop's light turned on every time she got near it—a light that many of us know signals that the built-in camera is in use.

Garcia then took her machine to another computer expert—a trusted friend this time—who discovered that Feigin had installed two pieces of software onto her machine: Log Me In and Web Cam Spy Hacker. Web Cam Spy Hacker may have been written by Feigin himself (the address on the site was the same as his home address), and it allowed him to upload the various photos taken on the machine to a remote server. Unfortunately for Garcia, that included 20,000 photos of her, her friends, and her boyfriend. Since the laptop mostly resided in her bedroom, some of them were taken while she was not clothed.



For my website class

http://books.slashdot.org/article.pl?sid=08/08/04/130249&from=rss

The Ultimate CSS Reference

Posted by samzenpus on Monday August 04, @02:21PM from the read-all-about-it dept.

stoolpigeon writes

"Cascading Style Sheets are now the dominant method used to format web pages

... There is an online edition of The Ultimate CSS Reference and as far as I can tell, it is completely open to use by anyone without any kinds of restrictions. I couldn't find any in my copy of the book, I didn't have to sign up for anything to use the site.


Ditto (also for teachers)

http://news.cnet.com/8301-10787_3-10006389-60.html?part=rss&subj=news&tag=2547-1_3-0-5

Is the world ready for Flash for dummies? Absolutely

Posted by Charles Cooper August 5, 2008 4:00 AM PDT

... The project recently moved out of beta testing and is being offered in a free general release as well as a professional version for $195 per seat.

http://flypaper.com/


Double ditto? This is horrible. I'll probably have to download a few (hundred) to prove my point.

http://torrentfreak.com/textbooktorrents-makes-a-comeback-080805/

Textbook Torrents Makes Long Awaited Comeback

Written by Ernesto on August 05, 2008

The Textbook Torrents tracker is considered to be the largest library of textbooks on BitTorrent.

No comments: