Some stats
http://www.pogowasright.org/article.php?story=20081019090621881
MA: REPORT ON THE M.G.L. CHAPTER 93H NOTIFICATIONS
Sunday, October 19 2008 @ 09:06 AM EDT Contributed by: PrivacyNews
It has now been over 10 months since the new identity theft law took effect. Under that law, businesses and others who maintain and store the personal information of Massachusetts residents must notify the Office of Consumer Affairs and Business Regulation, and the Attorney General, whenever security breaches occur that involve either personal information or unencrypted data capable of compromising personal information in a manner that creates a substantial risk of identity theft or fraud.
During that time, the Office of Consumer Affairs and business Regulation has received 318 notifications of such breaches. Of those 318 incidents, 274 were reported by businesses; 23 by educational institutions; 17 by state government; and 4 by not-for-profits. Of the 318 notifications, only 10 involved data that was encrypted when breached. There were 69 reported incidents of data breach in which the data was password protected.
The number of Massachusetts residents affected by these reported incidents was 625,365. The notifications reported that in 194 cases the breach was the result of criminal/unauthorized acts, with a high frequency of laptops or hard-drives being stolen. Thus, of the remainder of these breaches, approximately 40% of the total, are the result of employee error or sloppy internal handling of personal information or other data. This confirms that any regulatory regime must include both measures that protect against intentional wrongdoing and measures that focus on establishing internal protocols that set minimum standards for handling sensitive paper and electronic records.
While it may be that we have not received notification with respect to every breach that is reportable under M.G.L. c. 93H, §3 (whether because some are not aware of the obligation, or for other reasons have decided not to report a breach), these results suggest that the source of risk for a substantial majority of the Massachusetts residents who are affected by data security breaches (almost 75%) was the financial services sector. The remaining 25% is distributed among other institutions and industries.
The notifications also strongly suggest that the most frequent type of breach was the result of criminal/deliberate acts, mostly thefts and businesses reporting that they had reason to believe that there had been unauthorized access or use of data (though frequently the details of such access or use was not known). The 194 such cases represent more than 60% of the reported incidents.
[...]
Source - Office of Consumer Affairs and Business Regulation [pdf, Report of Sept. 19, 2008]
Comment: unfortunately, Massachusetts does not list its breach reports online, but it seems clear from their numbers that the vast majority of the breaches reported to them did not appear in the kinds of mainstream media sources that are routinely scoured by this site. Given that Massachusetts had many more reported breaches than New Hampshire during the same time period, it reminds us once again of how badly we are probably underestimating the true extent of breaches involving unencrypted data. -- Dissent.
...because...
http://www.pogowasright.org/article.php?story=2008102005320680
Data “Dysprotection:” breaches reported last week
Monday, October 20 2008 @ 05:32 AM EDT Contributed by: PrivacyNews
A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.
Source - Chronicles of Dissent
Isn't the goal of automation to take people (witnesses) out of the process? Isn't electronic evidence real evidence? Why are people still using technology for the 1840s?
http://www.pogowasright.org/article.php?story=20081020054420871
CO: Consumer Crusade loses appeal
Monday, October 20 2008 @ 05:44 AM EDT Contributed by: PrivacyNews
The Colorado Court of Appeals has rejected another attempt by Consumer Crusade Inc. of Englewood to overturn a lower court ruling against its attempts to collect damages for illegal junk faxes.
The decision upholding the state court decision, by appellate Judge Daniel Dailey, was announced on Thursday.
Source - Denver Business Journal
[From the article:
But the lower court ruled in Clarion’s favor because Consumer Crusade could not present witnesses to authenticate the faxes. The court stated, “If no such witnesses are disclosed … this case will be dismissed,” according to the appellate decision.
... Another court decision soon after the previous Clarion ruling further hampered Consumer Crusade’s attempts to collect damages on junk faxes, by saying it lacked the right to do so.
In February 2007, a Denver federal appeals court ruled that people who get junk faxes can’t turn them over to companies such as Consumer Crusade and local U.S. Fax Center Inc. for collection of damages. The court said such companies have no standing to act on behalf of recipients.
This is why the law is such a difficult field of study.
http://yro.slashdot.org/article.pl?sid=08/10/19/2136213&from=rss
Record Label Infringes Own Copyright, Site Pulled
Posted by kdawson on Sunday October 19, @05:49PM from the wonder-who-filed-the-complaint dept.
AnonCow sends in a peculiar story from TorrentFreak, which describes the plight of a free-download music site that has been summarily evicted from the Internet for violating its own copyright. The problem seems to revolve around the host's insistence that proof of copyright be snail-mailed to them. Kind of difficult when your copyright takes the form of a Creative Commons license that cannot be verified unless its site is up.
"The website of an Internet-based record label which offers completely free music downloads has been taken down by its host for copyright infringement, even though it only offers its own music. Quote Unquote Records calls itself 'The First Ever Donation Based Record Label,' but is currently homeless after its host pulled the plug."
Never confuse a politician (esp. Big Brother) with the facts!
http://www.pogowasright.org/article.php?story=20081020054829874
UK: Government faces fight from within for spy database
Monday, October 20 2008 @ 05:48 AM EDT Contributed by: PrivacyNews
Jacqui Smith, the home secretary, faces a revolt from her senior officials over plans to build a central database holding information on every telephone call, e-mail and internet visit made in the UK.
A “significant body of Home Office officials dealing with serious and organised crime” are privately lobbying against the plans, a leaked memo has revealed.
They believe the proposals are “impractical, disproportionate, politically unattractive and possibly unlawful from a human rights perspective”, the memo says.
Source - Times Online
Related It is quite common for individuals to “misplace” ID cards. Fortunately, that is not the sole basis for identification (in a rational system).
http://www.pogowasright.org/article.php?story=20081020055811130
UK: Government loses 3,500 security passes
Monday, October 20 2008 @ 05:58 AM EDT Contributed by: PrivacyNews
The Home Office and the Ministry of Justice were responsible for the bulk of the lost passes, mislaying an astonishing 3,492 security passes between 2001 and July this year. Up until last year, staff at the two departments were losing passes at the rate of 463 a year, or around nine a week, for much of the period studied.
... All of the losses raise serious concerns over the government’s ability to handle the security of its large IT databases, and control who accesses them, the Lib Dems said. The government has revealed plans to create a super database that would track the phone calls, emails and internet access records of citizens.
Source - Computerworld UK
Possibly Related? Not sure I understand this at all, but I'll mention it in my Statistics classes...
http://www.pogowasright.org/article.php?story=20081020065156475
UK: Home Office mulls fighting hacking with corporate ASBOs
Monday, October 20 2008 @ 06:51 AM EDT Contributed by: PrivacyNews
The Home Office is consulting on the possibility of applying serious crime prevention orders (AKA corporate ASBOs) to computer hacking laws.
Serious crime prevention orders allow the courts to apply "injunctions" against criminal behaviour granted on the basis of the balance of probabilities rather than the much tougher standard of beyond reasonable doubt demanded in criminal cases. Breach of the orders would result in either a fine or imprisonment.
Consultation on the plan to apply this type of regime to computer hacking offences will begin in November and last for three months, according to answers to questions in the house to junior Home Office minister Alan Campbell last week.
Source - The Register
Tools & Techniques OR We can, therefore we must? (Great target for hackers!)
http://www.infoworld.com/article/08/10/20/AlcatelLucent_provides_alwayson_protection_for_laptops_1.html?source=rss&url=http://www.infoworld.com/article/08/10/20/AlcatelLucent_provides_alwayson_protection_for_laptops_1.html
Alcatel-Lucent provides always-on protection for laptops
OmniAccess 3500 Nonstop Laptop Guardian supports HSPA and makes it possible for IT staff to communicate with a system even if the laptop is turned off
By Mikael Ricknäs, IDG News Service October 20, 2008
Alcatel-Lucent has introduced a new version of its OmniAccess 3500 Nonstop Laptop Guardian (NLG) that supports HSPA (High Speed Packet Access), it announced on Monday.
The OmniAccess 3500 NLG is a battery-powered PC card. It has its own processor, memory, and operating system, which makes it possible for the IT staff to communicate with the card anytime they like, even if the laptop is turned off, according to Peter Tebbutt, marketing and business development director at Alcatel-Lucent.
For example, patches and other security updates can be forwarded to the card and installed as soon as the laptop is turned on. The card can also keep track of the software installed on the laptop and wipe it if necessary, according to Tebbutt.
Tools & Techniques Sure to increase the sales of GPS Nav systems!
http://tech.slashdot.org/article.pl?sid=08/10/20/0225201&from=rss
DARPA Contract Hints At Real-Time Video Spying
Posted by kdawson on Monday October 20, @08:03AM from the i-know-what-you-did-last-minute dept.
The Washington Post has a story picking apart a DARPA contract document to assert that advanced video spying from the sky is on the way. The contract in question was awarded last month and involves indexing video feeds and matching feeds against stored footage. The example given is for an analyst to ask for an alert whenever any real-time Predator feed from Iraq shows a vehicle making a U-turn. [Get the directions right the first time, or see a Mavrick missle in your rear view mirror? Bob]
"Last month, Kitware, a small software company with offices in New York and North Carolina, teamed up with 19 other companies and universities and won the $6.7 million first phase of the DARPA contract, which is not expected to be completed before 2011. During the Cold War, satellites and aircraft took still pictures that intelligence analysts reviewed one frame at a time to identify the locations of missile silos, airplane hangars, submarine pens and factories, said... an expert in space and intelligence matters. 'Now with new full-motion video intelligence techniques, we are looking at people and their behavior in public,' he said. The resolution capability of the video systems ranges from four inches to a foot, depending on the collector and environmental conditions at the time, according to the DARPA paper."
Tools & Techniques (Wireless keyboards are much easier targets)
http://hardware.slashdot.org/article.pl?sid=08/10/20/1248234&from=rss
Compromising Wired Keyboard
Posted by CmdrTaco on Monday October 20, @09:30AM from the not-a-lot-of-substance-here dept. Input Devices Security
Flavien writes
"A team from the Security and Cryptography Laboratory (LASEC) in Lausanne, Switzerland, found 4 different ways to fully or partially recover keystrokes from wired keyboards at a distance up to 20 meters, even through walls. They tested 11 different wired keyboard models bought between 2001 and 2008 (PS/2, USB and laptop). They are all vulnerable to at least one of our 4 attacks. While more information on these attacks will be published soon, a short description with 2 videos is available."
Interesting but probably impossible. Perhaps an independent “evidence gathering organization” might work?
http://it.slashdot.org/article.pl?sid=08/10/20/007251&from=rss
F-Secure Calls For "Internetpol" To Fight Crimeware
Posted by kdawson on Sunday October 19, @09:53PM from the you'll-have-to-come-with-me-sir dept
KingofGnG points out F-Secure's Q3 2008 security summary, in which its Chief Research Officer Mikko Hypponen proposes establishing an "Internetpol," an international organization empowered to target and root out cybercrime anywhere in the world. Hypponen gives examples of why such a supernational force is needed — and these are not hard to find — but provides few details about how such an outfit could get started or how it would work. He does mention the wrinkle that in some countries malware writing, cracking, spamming, and phishing are not illegal or not prosecuted. Is an Internetpol even possible, let alone practical?
If nothing else, some interesting links!
http://www.pogowasright.org/article.php?story=20081019072725834
Ca: Non-party privacy and litigation
Sunday, October 19 2008 @ 07:27 AM EDT Contributed by: PrivacyNews
Peg Duncan has recently updated the e-Discovery Canada case law digest, and includes an interesting Alberta Court of Queen’s Bench decision from January 2008 called Design Group Staffing v. Fierlbeck. It’s about an employee who e-mailed himself a great number Alberta Treasury Branch records before departing from employment from a company who provided IT services to the ATB and the service provider’s very aggressive reaction.
Source - All About Information blog
That still leave all those other Rights in that Bill thing-y... Let's get to work, people!
http://yro.slashdot.org/article.pl?sid=08/10/19/1329243&from=rss
Microsoft Patents the Censoring of Speech
Posted by Soulskill on Sunday October 19, @10:11AM from the %$!#-!%-!%!$-##%-$@#! dept. Patents Microsoft
theodp writes
"On Tuesday, the USPTO awarded Microsoft a patent for the Automatic Censorship of Audio Data for Broadcast, an invention that addresses 'producing censored speech that has been altered so that undesired words or phrases are either unintelligible or inaudible.' The patent describes methods for muting offensive words and replacing them with less offensive versions, and 'a third alternative provides for overwriting the undesired word with a masking sound, i.e., "bleeping" the undesired word with a tone.' After all, there's nothing worse than being subjected to offensive speech when you're shooting someone in the head."
[“I am (that stupid politician you're not going to vote for), and I approve this message.” Bob]
Another study supporting “Open Source” research journals.
http://science.slashdot.org/article.pl?sid=08/10/19/172254&from=rss
Why Most Published Research Findings Are False
Posted by kdawson on Sunday October 19, @02:21PM from the peers-can-be-wrong-too dept. Medicine Science
Hugh Pickens writes
"Researchers have found that the winner's curse may apply to the publication of scientific papers and that incorrect findings are more likely to end up in print than correct findings. Dr John Ioannidis bases his argument about incorrect research partly on a study of 49 papers on the effectiveness of medical interventions published in leading journals that had been cited by more than 1,000 other scientists, and his finding that, within only a few years, almost a third of the papers had been refuted by other studies. Ioannidis argues that scientific research is so difficult — the sample sizes must be big and the analysis rigorous — that most research may end up being wrong, and the 'hotter' the field, the greater the competition is, and the more likely that published research in top journals could be wrong. Another study earlier this year found that among the studies submitted to the FDA about the effectiveness of antidepressants, almost all of those with positive results were published, whereas very few of those with negative results saw print, although negative results are potentially just as informative as positive (if less exciting)."