Saturday, October 31, 2009

If you let a little thing like a pre-Halloween blizzard keep you from joining us at the Privacy Foundation's seminar on HIPAA yesterday, shame on you. (And thank you, since I ate your share of an excellent lunch)

I've noticed several articles that seem to touch on topics we raised (and definitely did not resolve) yesterday. Here they are in no particular order...


This article hits several points (including the unstated: lots of money attracts lots of big players)

http://news.cnet.com/8301-27083_3-10387384-247.html?part=rss&subj=news&tag=2547-1_3-0-20

GE launches eHealth, hopes for early adopters

by Elizabeth Armstrong Moore October 30, 2009 12:26 PM PDT

The government's $19 billion incentive package to compel doctors and hospitals to digitize their inefficient paper record systems is nice and shiny. But until a platform exists to support the easy yet secure flow of highly sensitive personal information, that promise could also be empty.

Seeing a business opportunity, General Electric unveiled on Thursday its new unit, eHealth, a suite of solutions that aims to provide the necessary infrastructure. (GE reports that it is investing $90 million to launch eHealth.) It is a daunting task, but if it works, a digital record system that streamlines connectivity between clinicians and patients would eventually cost less, work faster, and reduce medical errors, some of which can be fatal.


(Related) This ties because so many of the players are not covered by HIPAA. (Okay, it's not a perfect match but read the first page of the paper and use your imagination.)

http://www.pogowasright.org/?p=4906

Article: From Privacy To Liberty: The Fourth Amendment After Lawrence

October 31, 2009 by Dissent Filed under Other, U.S.

Thomas P. Crocker has an article (pdf) in the current issue of UCLA Law Review. Here’s the abstract:

This Article explores a conflict between the protections afforded interpersonal relations in Lawrence v. Texas and the vulnerability experienced under the Fourth Amendment by individuals who share their lives with others. Under the Supreme Court’s third-party doctrine, we have no constitutionally protected expectation of privacy in what we reveal to other persons. The effect of this doctrine is to leave many aspects of ordinary life shared in the company of others constitutionally unprotected. In an increasingly socially networked world, the Fourth Amendment may fail to protect precisely those liberties—to live in the company of others free from state surveillance and intrusion—the Constitution should protect. Against the background of the third-party doctrine, we guarantee our privacy only by avoiding ordinary acts of interpersonal sharing. By contrast, the Court in Lawrence explains that intimate conduct occurring within protected personal relationships constitutes a private sphere wherein government may not intrude. Because the third-party doctrine views privacy narrowly, this Article develops a framework for revising Fourth Amendment jurisprudence in light of Lawrence’s protection for interpersonal liberty. By following the lessons of Lawrence, this Article proposes a way to reorient Fourth Amendment jurisprudence away from its focus on privacy in order to protect interpersonal liberty.

Hat-tip, Concurring Opinions.


(Related) After all, government has repeatedly demonstrated its command of Computer Technology.

http://www.pogowasright.org/?p=4911

In Congress, a call to review internal cybersecurity policies

October 31, 2009 by Dissent Filed under Breaches, Featured Headlines, Govt, U.S., Workplace

Ellen Nakashima and Carol D. Leonnig report:

House leaders on Friday called for an “immediate and comprehensive assessment” of congressional cybersecurity policies, a day after an embarrassing data breach that led to the disclosure of details of confidential ethics investigations.

Speaker Nancy Pelosi (D-Calif.) and Minority Leader John A. Boehner (R-Ohio) said they had asked the chief administrative officer of the House to report back to them on the policies and procedures for handling sensitive data as a result of the breach. The inadvertent disclosure of a House ethics committee document, obtained by The Washington Post, summarized the status of investigations into lawmakers’ activities on subjects such as influence peddling and defense lobbying. [...]

In the breach, the report was disclosed inadvertently by a junior committee staff member, who had apparently stored the file on a home computer with “peer-to-peer” software, congressional sources said. The popular software allows computer users to share music or other files and is easily available online. But it also allows anyone with the software on a computer to access documents of another user without permission, as long as the users are on a file-sharing network at the same time.

Read more in the Washington Post.



(Related) Another potential downside of huge government databases...

http://www.wired.com/threatlevel/2009/10/ncic

Woman Loses Job Due to Error in FBI Criminal Database

By Kim Zetter October 30, 2009 3:57 pm

A Maryland woman lost her accounting job after a background check performed through the FBI’s criminal database indicated, erroneously, that she was unsuitable for the job, according to the Baltimore Sun.



Would this be an issue if the targets had made a real effort to remain anonymous? The flip side is that the “defamation” would be taken far less seriously unless there was independent confirmation – i.e. it was true.

http://www.pogowasright.org/?p=4903

Swartz v. Does: American and Canadian approaches to anonymity in internet defamation cases

October 30, 2009 by Dissent Filed under Court, Internet

Matthew Nied, a law student at the University of Victoria, writes:

A recent case illustrates that American jurisprudence is increasingly coalescing around a uniform approach to determine whether a plaintiff may compel the disclosure of an anonymous defendant’s identity in internet defamation cases. As discussed below, the Canadian experience has been different.

In Swartz v. Does (“Swartz”) (see: judgment) a Tennessee state court held that plaintiffs were entitled to discover the identity of an anonymous blogger that published allegedly defamatory statements about them. The case arose when the plaintiffs subpoenaed Google, the parent company of the blogging service used by the anonymous defendants (see: news article). [...]

Swartz is yet another American case that has followed the increasingly prevalent Dendrite standard. Unfortunately, Canadian jurisprudence has yet to begin coalescing to the same extent. The scarce Canadian law on this issue, most of which comes from Ontario, indicates that plaintiffs have two ways to compel online service providers to reveal the identities of anonymous defendants….

Read more on Defamation Law Blog.

[From the blog:

The decision is notable for Justice Brothers’ survey of the various standards previously applied by American courts and his ultimate application of the standard most protective of internet anonymity. This



Cyber War I still suspect this is an example of the first stage of a binary cyber-weapon. Once the first stage is as close to ubiquitous as possible, the second stage delivers the payload. Of course, this is a very primitive example and was easily detected – if not so easily stopped.

http://it.slashdot.org/story/09/10/30/223238/After-1-Year-Conficker-Infects-7M-Computers?from=rss

After 1 Year, Conficker Infects 7M Computers

Posted by Soulskill on Friday October 30, @08:04PM from the happy-anniversary-now-run-an-antivirus dept.

alphadogg writes

"The Conficker worm has passed a dubious milestone. It has now infected more than 7 million computers, security experts estimate. On Thursday, researchers at the volunteer-run Shadowserver Foundation logged computers from more than 7 million unique IP addresses, all infected by the known variants of Conficker. They have been able to keep track of Conficker infections by cracking the algorithm the worm uses to look for instructions on the Internet and placing their own 'sinkhole' servers on the Internet domains it is programmed to visit. Conficker has several ways of receiving instructions, so the bad guys have still been able to control PCs, but the sinkhole servers give researchers a good idea how many machines are infected."


(Related) Could this be another attack on the Internet.

http://news.cnet.com/8301-17852_3-10387620-71.html?part=rss&subj=news&tag=2547-1_3-0-20

Miley Cyrus: Twitter should be banned

by Chris Matyszczyk October 30, 2009 3:51 PM PDT



I will be watching this one closely!

http://hardware.slashdot.org/story/09/10/31/0120223/Contest-To-Hack-Brazilian-Voting-Machines?from=rss

Contest To Hack Brazilian Voting Machines

Posted by Soulskill on Saturday October 31, @12:09AM from the hack-the-vote dept.

An anonymous reader writes

"Brazilian elections went electronic many years ago, with very fast results but a few complaints from losers, of course. Next month, 10 teams that accepted the challenge will have access to hardware and software (Google translation; original in Portuguese) for the amount of time they requested (from one hour to four days). Some will try to break the vote's secrecy and some will try to throw in malicious code to change the entered votes without leaving traces."



It's good to be an anti-spam lawyer, lots (and lots and lots) of evidence, predisposed (angry?) juries, and many useful precedents.

http://yro.slashdot.org/story/09/10/30/1713258/Facebook-Awarded-711-Million-In-Anti-Spam-Case?from=rss

Facebook Awarded $711 Million In Anti-Spam

Posted by Soulskill on Friday October 30, @01:46PM from the yet-another-spam-king-dethroned dept.

An anonymous reader writes

"Facebook is on a never-before-seen legal rampage against high profile internet spammers. Today Facebook was awarded yet another nine-figure settlement, this time for over $700 million. Facebook also has a criminal contempt case on Wallace, which means a high likelihood of prison, a big win for the internet and a milestone in cyber law. 'The record demonstrates that Wallace willfully violated the statutes in question with blatant disregard for the rights of Facebook and the thousands of Facebook users whose accounts were compromised by his conduct,' Jeremy Fogel wrote in his judgment order, which permanently prohibits Wallace from accessing the Facebook Web site or creating a Facebook account, among other restrictions."



Oh look, Congress noticed that Internet thingie... Let's hope someone (preferably someone born in the last 25 years) explains it to them. NOTE: It looks like these arguments could have come from the RIAA and ISP lobbyists.

http://arstechnica.com/tech-policy/news/2009/10/house-senate-get-separate-bills-to-kill-net-neutrality.ars

House, Senate get separate bills to kill net neutrality

With the FCC launching a rule-making proceeding on net neutrality, a pair of bills have been introduced to Congress that would bar the FCC from issuing "any regulations regarding the Internet."

By Nate Anderson Last updated October 30, 2009 12:50 PM CT

Real argument about "network neutrality" is fascinating stuff, provocative and well worth anyone's time if they care about the Internet. Unfortunately, Congress isn't great at having intelligent arguments, and net neutrality is rapidly on its way to becoming the latest victim of the Sound Bite Wars.

Sen. John McCain (R-AZ) and Rep. Marsha Blackburn (R-TN) have each introduced an anti-net neutrality bill into their respective chambers. McCain's is known as the "Internet Freedom Act of 2009," but Blackburn's is billed as (seriously) the "Real Stimulus Act of 2009" (PDF).

This "real stimulus" consists of a single line, which is identical in both bills: "The Federal Communications Commission shall not propose, promulgate, or issue any regulations regarding the Internet or IP-enabled services." While the bills target network neutrality, they appear to go much further by banning any sort of new rules on all IP services.


(Related) This video claims the economics of the Internet will break in 2015. Perhaps that is why Comcast (et.al.) want to limit volume/user.

http://www.youtube.com/watch?v=g9P3FNw7W-A


(Related) Interesting opinion piece on the UK's three strikes proposal.

http://www.timesonline.co.uk/tol/comment/columnists/guest_contributors/article6896049.ece

Denying physics won’t save the video stars

Technology is making file sharing easier and easier. It will take more than unfair laws and harsh punishments to stop it

From The Times October 30, 2009 Cory Doctorow


(Related?) The Cory Doctorow article mentioned he was talking at this “Festival” Looks like lots of interesting videos are available.

http://www.battleofideas.org.uk/index.php/2009/video_index



What happens when the Twitter world gets video? Ego-world become narcissist-world?

http://www.techcrunch.com/2009/10/30/stealth-startup-zkatter-to-launch-real-time-broadcasting-site-to-capture-live-moments/

Stealth Startup Zkatter To Launch Real-Time Broadcasting Site To Capture “Live Moments”

by Leena Rao on October 30, 2009



For the Hacker Folder, several ways around geographic blocks. Thank you Washington Post

http://www.washingtonpost.com/wp-dyn/content/article/2009/10/05/AR2009100500411.html?dyn=popular

On The Internet, Nobody Knows You're Not In The USA

Nik Cubrilovic TechCrunch.com Sunday, October 4, 2009; 11:25 PM

A large number of web services are geographically restricted, such as Hulu, Pandora and Spotify. The reasons are usually to do with content licensing restrictions, or because US visitors (or visitors from other advanced economies) are of a higher value from a monetization perspective. A web application can only guess at the location of a visitor based on an IP address and other information, such as browser language and regional settings.

… If you find yourself outside of the USA and wanting to watch Hulu, outside of the UK and wanting to checkout the BBC, or wanting to rig a web poll, here are some tips:



For the Hacker Folder

http://howto.wired.com/wiki/Traverse_Corporate_Firewalls

Traverse Corporate Firewalls

Censorship has never been popular with American citizens. Unfortunately, censorship is very popular with American corporations.

… Some of these techniques will require a reasonable degree of computer knowhow. They also could get you fired (or worse) so use caution. But for those undaunted, here's our guide to circumventing internet censorship.



Literature for geeks? Plagiarism reduced to cut & paste?

http://www.sparknotes.com/ SparkNotes

http://www.litcharts.com/ LitCharts

Friday, October 30, 2009

More evidence that it is not only me advocating well known, old time security procedures.

http://broadcast.oreilly.com/2009/10/top-log-fail.html

Top Log FAIL

By Anton Chuvakin October 29, 2009

A recent Wal-Mart intrusion story inspired me to summarize the most egregious, reckless, painful, negligent, sad, idiotic examples of failures with logs and logging - "Top Log FAIL." I am pretty sure that esteemed readers of SysAdmin Blog would never, ever do anything of that sort :-)
Here they are:

  1. Logging disabled: if you got a system which had operational logging enabled by default and then you turned it off before deploying in production - congratulations! You truly earn your title of a Log Idiot! :-)

  2. Logging not enabled: this is more sad than anything else ... and the person who will suffer the most from this is likely the one who has caused it. After all, you'd need those logs at some point yourself. There is nothing sadder than see a person having to explain to management, police, FBI, press, QSA, SEC, whoever: "Well, logging ... was ... never ... enabled!" (check out this motivational horror story)

  3. No log centralization: Windows admins, read this one - logs on the machine that crashed, was 0wned or even stolen will do you absolutely no good. It used to be that only Unix administratory can do this (via the magic of /etc/syslog.conf line ". @loghost.example.com"), but you, on the Windows side, could not. Please notice that the world is different now! (check out this deck on benefits and tips related to log centralization)

  4. Log retention period too short: the picture on the right should make this item (as well as the one above) painfully clear: doing "the right thing" and building the centralized logging infrastructure and then limiting the retention to 30 days is still "log FAIL." Many, many scenarios today require logs from the past - for the juiciest examples check all the recent "compromised in 2006 - discovered in 2008" stories (see some here in this deck)

  5. No logging of "Granted", "Accepted", "Allowed", etc: I don't even know where to start on this one - maybe thus: logging a firewall "connection blocked" events simply means that the firewall was doing its job, logging "connection allowed" shows that somebody is now in your network... The same idea applies to logging "login failed" and missing "login successful" - please make really sure to always log both (read this tip for more examples, instructions and ideas)

  6. Bad logs: if you are in operations, this is truly not your fault. But if you are in development - it probably is. Creating such logging classics as "failed successfully" and "login failed" [with no actual user name recorded] are fine examples of this "log FAIL." Be aware that our work on CEE will fix it eventually, but more hilarity will have to transpire before it happens (see this deck for some ideas on how not to engineer logging and how to do it - and for some examples of hilarity, of course)

  7. No log review or nobody is looking at logs: I am saving this "log FAIL" for last; logs are created to be reviewed, monitored, searched, investigated, etc and NOT - I assure you! - to simply use up disk space (check my famous "Top 11 Reasons to Look at Logs" as well the classic "Top Logging Mistakes" for more info on this one)

Possibly related posts:



Is there provision for an “anonymous client?”

http://www.pogowasright.org/?p=4855

Judge: FTC Cannot Make Lawyers Comply With Identity Theft Laws

October 29, 2009 by Dissent Filed under Breaches, Court, Featured Headlines

The Federal Trade Commission cannot force practicing lawyers to comply with new regulations aimed at curbing identity theft, a federal judge ruled today at the U.S. District Court for the District of Columbia.

The decision offers a reprieve to law firms across the country, which faced a deadline this weekend to put in place programs to meet so-called “Red Flags Rule” requirements. The rules would have forced firms to verify the identities of potential clients.

The American Bar Association, represented by a Proskauer Rose team led by partner Steven Krane, argued that the rules would impose a serious burden on law firms, and sought an injunction and declaratory judgment finding that lawyers were not covered by the rule. The FTC contended that lawyers should be covered, because many of their billing practices, such as charging clients on a monthly basis rather than up front, made them “creditors.”

Read more on BLT: The Blog of Legal Times.



Dilbert addresses both Cloud Computing and Identity Theft!

http://dilbert.com/strips/comic/2009-10-30/



When you have a terrorist in those “snap a nude image” scanners, you can turn up the juice and fry them where they stand.

http://science.slashdot.org/story/09/10/30/1216230/How-Terahertz-Waves-Tear-Apart-DNA?from=rss

How Terahertz Waves Tear Apart DNA

Posted by kdawson on Friday October 30, @08:55AM from the tear-a-cell dept.

KentuckyFC writes

"Great things are expected of terahertz waves, the radiation in the electromagnetic spectrum between microwaves and the infrared. Terahertz waves pass through non-conducting materials such as clothes, paper, wood and brick and so cameras sensitive to them can peer inside envelopes, into living rooms and 'frisk' people at distance. That's not to mention the great potential they have in medical imaging. Because terahertz photons are not energetic enough to break chemical bonds or ionize electrons, it's easy to dismiss fears over their health effects. And yet the evidence is mixed: some studies have reported significant genetic damage while others, although similar, have reported none. Now a team led by Los Alamos National Labs thinks it knows why. They say that although the forces that terahertz waves exert on double-stranded DNA are tiny, in certain circumstances resonant effects can unzip the DNA strands, tearing them apart. This creates bubbles in the strands that can significantly interfere with processes such as gene expression and DNA replication. With terahertz scanners already appearing in airports and hospitals, the question that now urgently needs answering is what level of exposure is safe."



Could this be why states are gathering DNA? They plan to make our highways safer? Anything to keep them from selling this to insurance companies? Perhaps defective genes explain all anti-social behavior?

http://science.slashdot.org/story/09/10/29/1615214/Bad-Driving-May-Have-Genetic-Basis?from=rss

Bad Driving May Have Genetic Basis

Posted by samzenpus on Thursday October 29, @01:11PM from the born-to-run-off-the-road dept.

Serenissima writes

"Bad drivers may in part have their genes to blame, suggests a new study by UC Irvine neuroscientists. People with a particular gene variant performed more than 20 percent worse on a driving test than people without it — and a follow-up test a few days later yielded similar results. About 30 percent of Americans have the variant. These people make more errors from the get-go, and they forget more of what they learned after time away,' said Dr. Steven Cramer, neurology associate professor and senior author of the study published recently in the journal Cerebral Cortex."



One of my favorite judges gets to slam government lawyers again and again. Why they keep trying tactics that the judge has rejected many times before is one of those “I'll never understand lawyers” questions. Since Clinton has admitted guilt, why are they fighting so hard?

http://www.pogowasright.org/?p=4862

Privacy Act Does Not Apply to White House?

October 29, 2009 by Dissent Filed under Govt, U.S.

From their press release:

Judicial Watch, the public interest group that investigates and prosecutes government corruption, announced today that the Obama administration argued in a recent court filing that the Privacy Act does not apply to the Executive Office of the President (EOP). This court filing came in a Judicial Watch lawsuit filed in 1996 against the Clinton White House related to a scandal known as “Filegate,” where the Clinton White House obtained and maintained the private FBI files of hundreds of former Reagan and Bush officials [Alexander v. Federal Bureau of Investigation, Civil Action No. 96-2123/97-1288 (RCL)].

In the Obama administration’s “Renewed Motion for Summary Judgment,” filed with the U.S. District Court for the District of Columbia on September 17, the Obama Justice Department stated the following: “The White House is not an agency under the Freedom of Information Act (FOIA), and it necessarily follows that it is not an agency subject to the Privacy Act.” However, the Privacy Act specifically lists the “Executive Office of the President” as an agency subject to the Act’s provisions.

U.S. District Court Judge Royce Lamberth had repeatedly rejected this same legal argument, most recently in 2008 when the court ruled against a government motion that would have dismissed the lawsuit: “…this court holds that under the Privacy Act, the word ‘agency’ includes the Executive Office of the President, just as the Privacy Act says.”

While the Obama administration continues to advance the legal and political argument that the White House and the FBI should not be held accountable for the Filegate scandal, former President Bill Clinton apparently disagrees. Clinton told historian Taylor Branch in preparation for a recently published book, “those files did not belong at The White House,” and that they “should have been isolated and returned immediately.” According to Branch, Clinton also said “[h]is administration should and would be held accountable.”

“What the Obama administration is effectively saying here is that if the White House decides to illegally compile FBI files and violate your privacy rights, tough luck,” said Judicial Watch President Tom Fitton. “It is disturbing that the Obama administration has taken the legal position that the Privacy Act does not apply to the White House and the Clinton FBI files scandal was not a scandal. It is worrying to those of us concerned about the Obama White House’s collecting ‘fishy’ emails and compiling an enemies list of news organizations, radio hosts, businesses, and industry associations to attack and smear. Is the Obama defense of the FBI files scandal less about that Clinton scandal and more about what his White House is up to now?” [Are you listening Fox News? Bob]

Documents related to Judicial Watch’s Filegate lawsuit can be found on their web site.



How else can you have a really effective (and scary) Secret Police? (Would the courts reach the same opinion if emails were encrypted?)

http://www.pogowasright.org/?p=4878

On Gmail and the Constitution

October 30, 2009 by Dissent Filed under Court, Featured Headlines, Internet

Ashby Jones writes:

Here’s a question: Is it kosher for a law enforcement agency to, pursuant to a lawfully granted search warrant, search your Gmail account without telling you?

According to an opinion handed down earlier this year and currently making the rounds on legal blogs (here and here), the answer is yes.

The opinion, handed down by Portland, Ore., federal judge Michael Mosman, doesn’t really delve into the case’s facts. It cuts right to the legal issue: whether the government must notify the subscriber to an email service before the government undertakes a search. [...]

Much of the reluctance to apply traditional notions of third party disclosure to the e-mail context seems to stem from a fundamental misunderstanding of the lack of privacy we all have in our e-mails. Some people seem to think that they are as private as letters, phone calls, or journal entries. The blunt fact is, they are not.

Read more on the WSJ Law Blog.

Over on FourthAmendment.com, John Wesley Hall comments:

The sad fact is that an amendment will be required to put a notice provision into the Stored Communications Act. People think e-mail is private like letters in transit, but “[t]he blunt fact is, they are not.” Technology is steadily overcoming the Fourth Amendment. From GPS to e-mail, our privacy is slipping away, and older notions of the meaning of the reasonable expectation of privacy no longer seem to apply. If people think that e-mail is private, then why cannot they have a subjective expectation of privacy “that society is prepared to recognize as ‘reasonable.’” Katz, infra, at 361 (Harlan, J., concurring).

The case is In the Matter of an Application of the United States for a Search Warrant on the Contents of Electronic Mail and for an Order Directing a Provider of Electronic Communication Services to not Disclose the Existence of the Search Warrant, 2009 WL 3416240 (No. 08-9131-MC, D. Ore.


(Related) Slightly different perspective

http://yro.slashdot.org/story/09/10/29/2257209/Federal-Judge-Says-E-mail-Not-Protected-By-4th-Amendment?from=rss

Federal Judge Says E-mail Not Protected By 4th Amendment

Posted by timothy on Thursday October 29, @07:58PM from the persons-papers-and-effects dept.

DustyShadow writes

"In the case In re United States, Judge Mosman ruled that there is no constitutional requirement of notice to the account holder because the Fourth Amendment does not apply to e-mails under the third-party doctrine. 'When a person uses the Internet, the user's actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus 'private' information is actually being held by third-party private companies."" Updated 2:50 GMT by timothy: Orin Kerr, on whose blog post of yesterday this story was founded, has issued an important correction. He writes, at the above-linked Volokh Conspiracy, "In the course of re-reading the opinion to post it, I recognized that I was misreading a key part of the opinion. As I read it now, Judge Mosman does not conclude that e-mails are not protected by the Fourth Amendment. Rather, he assumes for the sake of argument that the e-mails are protected (see bottom of page 12), but then concludes that the third party context negates an argument for Fourth Amendment notice to the subscribers."


(Related) Could Oceania have slipped some spy's onto Big Brother's court?

http://www.pogowasright.org/?p=4892

UK: Criminal record checks gone too far

October 30, 2009 by Dissent Filed under Court, Featured Headlines, Non-U.S., Workplace

Tom Whitehead reports:

The system of investigating people’s backgrounds for employment vetting much be overhauled because it is wrongly “tilted” in favour of protecting the public, the Supreme Court concluded.

It said this meant that individual rights could be damaged by “unreliable” or “out of date” details, especially with the use of so-called soft intelligence held by police, such as allegations or suspicions, in enhanced Criminal Record Bureau (CRB) checks.

In a victory against the growing Big Brother state, the justices, in their first judgment since the Supreme Court opened in Britain earlier this month, said there should no longer be a “presumption for disclosure” of such information, which could be “even mere suspicion or hints of matters which are disputed by the applicant”. [...]

In a second significant development, the Supreme judges said in cases where the disclosure of information is “borderline”, individuals should be given the opportunity to make representations to the police before it is passed on to employers.

Police chiefs said they would now “actively consider” allowing people to make representations.

Read more in the Telegraph.



Strange, it seems the court wants to hold the government to the same standards as the private sector. What could they be thinking?

http://www.pogowasright.org/?p=4865

Arizona public records law applies to metadata

October 29, 2009 by Dissent Filed under Court

In a decision that will be welcomed by transparency advocates but may induce handwringing in others, the Supreme Court of Arizona ruled that:

Arizona law provides that “[p]ublic records and other matters in the custody of any officer shall be open to inspection by any person at all times during office hours.” Ariz. Rev. Stat. (“A.R.S.”) § 39-121 (2001). The City of Phoenix denied a public records request for metadata in the electronic version of a public record. We today hold that if a public entity maintains a public record in an electronic format, then the electronic version, including any embedded metadata, is subject to disclosure under our public records laws.

The case is Lake v. City of Phoenix. The full decision is here (pdf). Hat-tip, How Appealing blog.


(Related) They should have read this.

http://www.bespacific.com/mt/archives/022688.html

October 29, 2009

A Call to Action for State Government: Guidance for Opening the Doors to State Data

"States and local governments should increase citizens' access to raw, machine-readable data through sites similar to the federal government's Data.gov. Data democratization will lead to greater citizen engagement and government accountability, according to the National Association of State CIOs' latest brief on transparency. In A Call to Action for State Government: Guidance for Opening the Doors to State Data, state and local CIOs are advised to populate these portals with data that is already currently available, and develop agreements with the data owners and custodians to supply ongoing data to the portal." [Dotgov Buzz]

[From the guidance:

Metadata Model

Datasets that are made available should include additional information about the dataset in order to present the context for the data



Background for the debate? How government agencies grab power?

http://news.cnet.com/8301-1035_3-10385865-94.html

The case against the FCC's Net neutrality plan

by Larry Downes October 29, 2009 10:00 AM PDT

… The comment process, which runs until March 2010, is open to anyone. The FCC is clearly expecting lots of comment. The document itself asks more than 100 questions, including whether the new rules are necessary, whether the commission should enforce them without detailed regulations but instead on a "case by case" basis, and even whether the commission has the legal authority to enact new rules in the first place.



Should we twitter them?

http://www.pogowasright.org/?p=4868

Facebook calls for feedback on proposed privacy changes

October 30, 2009 by Dissent Filed under Businesses, Featured Headlines, Internet

Facebook’s privacy policy will be changing — partly in response to changes requested by the Canadian government — and Facebook is seeking responses to the proposed changes. Yesterday, Vice president of communications and public policy Elliot Schrage, invited users to comment about the proposed changes. Members have until November 5 to submit comments.

Our primary goals remain transparency and readability, which is why we’ve used plain language and included numerous examples to help illustrate our points. For example, here is how we explain users’ options for modifying or deleting information or content in the current privacy policy on the site:

When you update information, we usually keep a backup copy of the prior version for a reasonable period of time to enable reversion to the prior version of that information. …

… Even after removal, copies of User Content may remain viewable in cached and archived pages or if other Users have copied or stored your User Content. …

Access and control over most personal information on Facebook is readily available through the profile editing tools. Facebook users may modify or delete any of their profile information at any time by logging into their account. Information will be updated immediately. Individuals who wish to deactivate their Facebook account may do so on the My Account page. Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of Facebook.

Here is the clearer and more comprehensive version from the new proposed policy:

Viewing and editing your profile. You may change or delete your profile information at any time by going to your profile page and clicking “Edit My Profile.” Information will be updated immediately. While you cannot delete your date of birth, you can use the setting on the info tab of your profile information page to hide all or part of it from other users. …

Deactivating or deleting your account. If you want to stop using your account you may deactivate it or delete it. When you deactivate an account, no user will be able to see it, but it will not be deleted. We save your profile information (friends, photos, interests, etc.) in case you later decide to reactivate your account. Many users deactivate their accounts for temporary reasons and in doing so are asking us to maintain their information until they return to Facebook. You will still have the ability to reactivate your account and restore your profile in its entirety. When you delete an account, it is permanently deleted. You should only delete your account if you are certain you never want to reactivate it. You may deactivate your account on your account settings page or delete your account on this help page.

Limitations on removal. Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users. However, your name will no longer be associated with that information on Facebook. (For example, if you post something to another user’s profile, and then you delete your account, that post may remain, but be attributed to an “Anonymous Facebook User.”) Additionally, we may retain certain information to prevent identity theft and other misconduct even if deletion has been requested.

Backup copies. Removed and deleted information may persist in backup copies for up to 90 days, but will not be available to others.

Read more on Facebook.


(Related) Should the government have 'friends' on Facebook? Is that what we mean when we say lawyers are friends of the court?

http://www.bespacific.com/mt/archives/022687.html

October 29, 2009

Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0

Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0 Issued By: ISIMC [Information Security and Identity Management Committee] - Effective Date: 09.17.2009

  • Abstract: The use of social media for federal services and interactions is growing tremendously, supported by initiatives from the administration, directives from government leaders, and demands from the public. This situation presents both opportunity and risk. Guidelines and recommendations for using social media technologies in a manner that minimizes the risk are analyzed and presented in this document. This document is intended as guidance for any federal agency that uses social media services to collaborate and communicate among employees, partners, other federal agencies, and the public."



Interesting use of technology. Perhaps I could become a “partner” and require my students to subscribe?

http://www.nonotes.com/index.htm

NoNotes.com

The mechanics of the site involve recording a class and its subsequent upload to the site in order to be transcribed and sent back to you.

Thursday, October 29, 2009

Here is one of those arguments used to justify leaving holes in the security system. The unencrypted credit card transaction is sent over unsecured lines (or broadcast on a wireless connection) and no one is responsible for securing it. Surely this is the electronic equivalent of the Pub shouting the information across the street to their bank? Won't anyone point out that the Emperor has no clothes?

http://www.databreaches.net/?p=8029

Joco pub and customers were targets of credit card hacker

October 28, 2009 by admin Filed under Business Sector, Hack

Dawn Bormann reports:

Llywelyn’s Pub and its customers are the victims of a cyber credit card attack, Overland Park police said Wednesday.

Overland Park police encourage anyone who has used a credit card at Llywelyn’s Pub within the last six months to monitor their statements for fraudulent expenses.

Police Spokesman Jim Weaver said that more than 100 victims have been identified so far, and they believe others could have been victimized as well.

[...]

nvestigators believe the crimes were the result of a hacker, who managed to gain access to the information between the time of sale and the point at which the information reached the credit card processing company.

Investigators do not believe the credit card processing company was to blame. They have also ruled out any wrongdoing by Llywelyn’s employees.

[They must have evidence that confirms this, no other way to definitively rule out employees. Bob]

Read more in the Kansas City Star.

[From the article:

Even Owner Eric Pritchett was a victim in the scheme. He received a $700 charge from a Florida grocery store [Interesting. The owner used is credit card in his own Pub? Why? Bob]

… Pritchett said the bar and grill, which has been open since July 2007, installed a new computer server this week. [Has no impact on security whatsoever. Bob]



Probably the same thing? This one suggests they don't know how or where to look, but they still took action!

http://www.databreaches.net/?p=8037

Easybakeware.com customers notified of security concern

October 29, 2009 by admin Filed under Breach Incidents, Business Sector

When easybakeware.com customers started contacting the company to report unauthorized charges on their credit cards or debit cards from other merchants during the month of September, the Connecticut-based company instructed its Microsoft Gold Level e-commerce service provider/data center to investigate. They also hired an independent security consultant, but neither the consultant nor service provider reportedly found any evidence of a security breach.

With no confirmation of a breach but in light of the fact that 35 customers had reported problems, the company decided to alert its customers to a possible problem, including 71 New Hampshire residents. The company also reported the situation to the FBI and instructed its e-commerce service provider to remove the customer database from any network or internet connection.

Source: Notification to New Hampshire Attorney General’s Office.



These are (almost) always fun...

http://www.pogowasright.org/?p=4833

Some Thoughts on the New Surveillance

October 29, 2009 by Dissent Filed under Surveillance, U.S.

Last night I spoke at “The Little Idea,” a mini-lecture series launched in New York by Ari Melber of The Nation and now starting up here in D.C., on the incredibly civilized premise that, instead of some interminable panel that culminates in a series of audience monologues-disguised-as-questions, it’s much more appealing to have a speaker give a ten-minute spiel, sort of as a prompt for discussion, and then chat with the crowd over drinks.

I’d sketched out a rather longer version of my remarks in advance just to make sure I had my main ideas clear, and so I’ll post them here, as a sort of preview of a rather longer and more formal paper on 21st century surveillance and privacy that I’m working on. Since ten-minute talks don’t accommodate footnotes very well, I should note that I’m drawing for a lot of these ideas on the excellent work of legal scholars Lawrence Lessig and Daniel Solove (relevant papers at the links). Anyway, the expanded version of my talk after the jump…

Read more on Think Tank West. Hat-tip, FourthAmendment.com.



Helping(?) to define Privacy and “open source intelligence,” now all I need is a definition of “open” that suits my needs.

http://www.pogowasright.org/?p=4835

California Court Rejects Class Action Based on Data Collection for PII Aggregation Purposes

October 29, 2009 by Dissent Filed under Businesses, Court

Tanya Forsheit has an analysis and commentary on an appellate decision that may be of interest to consumers who resent merchants from requesting their zip codes:

On Friday, the California Court of Appeal, Fourth Appellate District, certified for publication its October 8 opinion in Pineda v. Williams-Sonoma, the most recent in a string of decisions regarding California’s Song-Beverly Credit Card Act of 1971, California Civil Code § 1747.08. On first glance, Pineda appears uneventful. The Court merely reiterated its December 2008 holding in Party City v. Superior Court, 169 Cal.App.4th 497 (2008), that zip codes are not personal identification information for purposes of the Act, right? Not so fast. In fact, the Pineda court added a couple of new wrinkles that are worth a second look. First, the court reaffirmed its Party City holding even though Pineda specifically alleged that Williams-Sonoma collected the zip code for the purpose of using it and the customer’s name to obtain even MORE personal identification information, the customer’s address, through the use of a “reverse search” database. Second, the court held that a retailer’s use of a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of a consumer’s privacy under California law.

[...]

Second, the court examined and rejected plaintiff’s claim that Williams-Sonoma’s conduct constituted an illegal intrusion into her privacy, finding no allegations (a) that her home address was not otherwise publicly available or (b) of any efforts she made to keep her address private:

Without such facts, using a legally obtained zip code to acquire, view, print, distribute or use an address that is otherwise publicly available does not amount to an offensive intrusion of her privacy.

. . . Even assuming Pineda had [alleged Williams-Sonoma had sold her home address to third parties for profit], we fail to see how selling an address that is otherwise publicly available amounts to “an egregious breach of the social norms underlying the privacy right.” . . .[Dossier business, here I come! Bob]

Additionally, . . . the complaint contains absolutely no facts showing the extent and gravity of the alleged invasion of privacy. Under the facts alleged, the disclosure of Pineda’s address amounted to a trivial invasion of her assumed privacy interest.

Read more on Information LawGroup.



Designed in a vacuum

http://www.pogowasright.org/?p=4827

Fordham Law Study: Privacy of Nation’s School Children at Risk

October 28, 2009 by Dissent Filed under Featured Headlines, Legislation, U.S., Youth

Fordham Law’s Center on Law and Information Privacy released a study that found state educational databases across the country ignore key privacy protections for the nation’s K – 12 children. The findings come as Congress is considering legislation that would expand and integrate the 43 existing state databases without taking into account the critical privacy failures in the states’ electronic warehouses of children’s information. CLIP found that sensitive, personalized information related to matters such as teen pregnancies, mental health, and juvenile crime is stored in a manner that violates federal privacy mandates. CLIP reports that at least 32 percent of states warehouse children’s social security numbers; at least 22 percent of states record student pregnancies; and at least 46 percent of the states track mental health, illness, and jail sentences as part of the children’s educational records. Also, almost all states with known programs collect family wealth indicators.

Some states outsource the data processing without any restrictions on use or confidentiality for K- 12 children’s information. Access to this information and the disclosure of personal data may occur for decades and follow children well into their adult lives.

“If these issues are not addressed, the results could be catastrophic from a privacy perspective,” said Professor Joel Reidenberg, founding director of CLIP. “We don’t question the legitimacy of collecting data for school accountability, but we urge Congress and state officials to take rapid steps to ensure the data is collected and stored properly and used in compliance with established privacy laws and principles.”

CLIP launched the study in 2008 because state departments of education throughout the country had recently established statewide longitudinal databases to track all K-12 students’ progress over time. The trend has been accompanied by a movement to create uniform data collection systems so that each state’s student data systems can be interoperable.

Often the flow of information from the local educational agency to the state department of education was not in compliance with the privacy requirements of the Family Educational Rights and Privacy Act. One state, New Jersey, diverts special education Medicaid funding to pay for an out-of-state contractor to warehouse data, including medical test results. Many states do not have clear access and use rules regarding their longitudinal databases and over 80 percent of states apparently fail to have data-retention policies and, thus, are likely to hold student information indefinitely. Several states, like Montana, outsource the data warehouse without stipulating privacy protections in the vendor contract. Other states, such as Louisiana and Florida, track a long list of disciplinary matters that could remain on students’ records indefinitely.

Even so, House Bill 3221, or the Student Aid and Fiscal Responsibility Act, contains a section that calls for the expansion and further integration of these databases without addressing these privacy concerns. A Senate version of the bill is expected to be released from committee shortly.

“The CLIP study meticulously documents the states’ disregard for safeguarding children’s most personal data,” said Barmak Nassirian, Associate Executive Director, American Association of Collegiate Registrars and Admissions Officers. “And yet Congress is poised to fund an ill-thought-through expansion of these systems to include data ranging from pre-birth medical information to education, employment, military, and criminal records.”

The study makes several recommendations for increasing the privacy, transparency and accountability of the databases:

  • Data at the state level should be made anonymous through the use of dual-database architectures.

  • Third party processors of educational records should have comprehensive agreements that explicitly address privacy obligations.

  • The collection of information by the state should be minimized and specifically tied to an articulated audit or evaluation purpose.

  • Clear data-retention policies should be instituted and made mandatory.

  • States should have a Chief Privacy Officer in the department of education who assures that privacy protections are implemented for any educational record database and who publicly reports privacy impact assessments for database programs, proposals, and vendor contracts.

The full report is available here.

Source: Fordham University



This happens with every new technology. What they mean is they don't bother to build in the archiving when they implement the latest fad.

http://www.reuters.com/article/technologyNews/idUSTRE59Q5F720091027

Facebook challenges financial regulators: FINRA

Tue Oct 27, 2009 7:31pm EDT

NEW YORK (Reuters) - Social networking sites like Facebook and LinkedIn raise "serious new challenges" for financial regulators, the head of the largest U.S. independent securities regulator said on Tuesday.

Wall Street bankers and analysts increasingly want to use social networking to connect and interact with customers...

… But as these sites are currently designed they may not allow firms to keep the kind of archives of their employees' business communications required by regulators...


(Related) Of course, you could ask a hacker to help you do it.

http://www.makeuseof.com/tag/how-to-backup-archive-all-your-facebook-data/

How To Backup & Archive All Your Facebook Data

Oct. 11th, 2009 By Mahendra Palsule



I wonder what changed their mind? Is there legislation pending?

http://yro.slashdot.org/story/09/10/28/1953223/Sequoia-To-Publish-Source-Code-For-Voting-Machines?from=rss

Sequoia To Publish Source Code For Voting

Posted by timothy on Wednesday October 28, @04:07PM from the this-time-on-purpose dept.

cecille writes

"Voting machine maker Sequoia announced on Tuesday that they plan to release the source code for their new optical-scan voting machine. The source code will be released in November for public review. The company claims the announcement is unrelated to the recent release of the source code for a prototype voting machine by the Open Source Digital Voting Foundation. According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security.'"



Would this have impacted West Side Story (a clear rip-off of Romeo & Juliette) and will it impact reverse engineering procedures?

http://yro.slashdot.org/story/09/10/28/2236235/Amazon-Patents-Changing-Authors-Words?from=rss

Amazon Patents Changing Authors' Words

Posted by samzenpus on Wednesday October 28, @09:49PM from the it-was-a-good-time-it-was-a-bad-time dept.

theodp writes

"To exist or not to exist: that is the query. That's what the famous Hamlet soliloquy might look like if subjected to Amazon's newly-patented System and Method for Marking Content, which calls for 'programmatically substituting synonyms into distributed text content,' including 'books, short stories, product reviews, book or movie reviews, news articles, editorial articles, technical papers, scholastic papers, and so on' in an effort to uniquely identify customers who redistribute material. In its description of the 'invention,' Amazon also touts the use of 'alternative misspellings for selected words' as a way to provide 'evidence of copyright infringement in a legal action.' After all, anti-piracy measures should trump kids' ability to spell correctly, shouldn't they?"



Don't bother them with vague academic theories. Your government knows that no one in this country is competent, even as they limit the number of 'foreign devils' they allow in the country. (Only governments know what is best for you.)

http://tech.slashdot.org/story/09/10/28/2313206/Obama-Looks-Down-Under-For-Broadband-Plan?from=rss

Obama Looks Down Under For Broadband Plan

Posted by samzenpus on Thursday October 29, @12:06AM from the put-another-bit-on-the-barbie dept.

oranghutan writes

"The Obama administration is looking to the southern hemisphere for tips on how to improve the broadband situation in the US. The key telco adviser to the president, Sarah Crawford, has met with Australian telco analysts recently to find out how the Aussies are rolling out their $40 billion+ national broadband network. It is also rumored that the Obama administration is looking to the Dutch and New Zealand situations for inspiration too. The article quotes an Aussie analyst as saying: 'There needs to be a multiplier effect in the investment you make in telecoms — it should not just be limited to high-speed Internet. That is pretty new and in the US it is nearly communism, that sort of thinking. They are not used to that level of sharing and going away from free-market politics to a situation whereby you are looking at the national interest. In all my 30 years in the industry, this is the first time America is interested in listening to people like myself from outside.'"


(Related) Because we gotta do something! And in five years, we plan to ignore whatever the academics tell us, using the excuse that its too late for their Monday morning quarterbacking.

http://www.wired.com/threatlevel/2009/10/smartgrid

Feds’ Smart Grid Race Leaves Cybersecurity in the Dust

By Kim Zetter October 28, 2009 3:00 pm

Amid the government-funded rush to upgrade America’s aging electric system to a smart grid comes a strange confluence of press releases this week by the White House and the University of Illinois.

Tuesday morning, President Obama, speaking at Florida Power and Light (FPL) facilities, announced $3.4 billion in grants to utility companies, municipal districts and manufacturers to spur a nationwide transition to smart-grid technologies and fund other energy-saving initiatives as part of the economic stimulus package.

… Strange, then, that another press release distributed Monday by the Information Trust Institute at the University of Illinois announces a grant of $18.8 million to four academic institutions to fund a five-year research project into securing the power grid.



The perils of Blogging? It is extremely dangerous to be right when those in power are so obviously wrong. (Fortunately, I never fall into that trap.)

http://www.wired.com/magazine/2009/10/mf_minerva/all/1

The Troubles of Korea’s Influential Economic Pundit

By Mattathias Schwartz October 19, 2009 3:00 pm

Until the day he was outed, the most influential commentator on South Korea’s economy lived the life of a nobody.

… Then, in March 2008, Park opened an account on South Korea’s popular Daum Agora forum. Here, he decided, he would call himself Minerva, after the Roman goddess of wisdom, and write exclusively on economics, drawing on both public reports and his years in the stacks poring over Adam Smith and Joseph Stiglitz.

… The post that would bring Minerva worldwide fame appeared on August 25, 2008, under the florid title “Overture to the 2008 Financial Wars: Apocalypse Now in Korea.” It attacked a plan, floated three days before by the Korea Development Bank, to purchase a large chunk of Lehman Brothers. Minerva held forth at length on the stupidity of this idea, given that Lehman was groaning under $50 billion in debt. If KDB invested in Lehman, Minerva wrote, the people of Korea stood to lose as much as $80 billion. Once again, his pessimism proved to be deadly accurate. KDB and Lehman were unable to agree on a sale price. A few weeks later, Lehman filed for bankruptcy

… Park was packing up his cell phone and laptop, getting ready to meet some friends, when the doorbell rang. Looking through the peephole he saw nothing. Whoever it was had covered the lens. Tentatively, he cracked the door open. Four plainclothes investigators pushed past him, displaying a warrant.

“Would you come with us?” one asked. “We need to ask you some questions.”

For 103 days, the South Korean government held Park in a 50-square-foot cell at a Seoul detention center. Interrogators asked about his family, whether he had a girlfriend, whether he was a spy.

… Park was acquitted of all charges.



Did you know that some students have never listened to Dave Bruebeck?

http://www.makeuseof.com/tag/the-internet-music-guidebook-pdf/

DOWNLOAD: The Internet Music Guidebook

Oct. 28th, 2009 By Simon Slangen

… MakeUseOf is proud to present The Internet Music Guidebook, a manual for the internet audiophile. An introduction to the World Wide Web of Sound!

… Don’t wait, download the Internet Music Guidebook now in PDF, to view it offline and on your computer, or read it online on Scribd.com.



http://www.makeuseof.com/tag/lalarm-laptop-security-makes-your-laptop-scream-when-stolen/

LAlarm Laptop Security Makes Your Laptop Scream When Stolen

Oct. 28th, 2009 By Mahendra Palsule

Laptop theft is growing at alarming proportions. One laptop is stolen every 53 seconds, according to Gartner. A study by Dell revealed that over 12,000 laptops are lost in US airports every week.

LAlarm is a free laptop security alarming software. It has several different alarms to help protect your laptop, the most important of them being the Theft Alarm.

Wednesday, October 28, 2009

Controlling the risks of Cloud Computing with contracts? How else do you document what's important?

http://www.pogowasright.org/?p=4811

LA Council Insists On Security Breach Penalty As It Oks Move To Google’s ‘Cloud’

October 27, 2009 by Dissent Filed under Breaches, Featured Headlines, Govt, Internet

The Los Angeles City Council voted today to move the city’s 30,000 email users to a system provided by Google, but only after a provision that the city be compensated if there is security breach in the data held on Google’s servers.

Consumer Watchdog had said that the security provisions for the Google “cloud computing” system for email and other applications remained untested and opposed the $7.25 million contract. However, the nonpartisan, nonpartisan consumer group had argued that if the contact were approved, it should contain a provision requiring “liquidated damages” or a payment in the event of a security breach. Council voted to add the penalty provision 9-3.

“Los Angeles residents cannot be sure the city’s confidential or sensitive data will be secure,” said John M. Simpson, consumer advocate with Consumer Watchdog, “but at least they know there will be a penalty if security is compromised. It’s essential that this project be closely watched to ensure that Google keeps its promises. Google’s latest mantra, ‘Trust us, security matters’ is not a real guarantee of anything.” [As they say in California, “Well, DUH!” Bob]

Key to the plan for LA’s system is Google’s “Government Cloud,” an Internet-based system that is intended to serve Federal, State and Local governments. While the “Government Cloud” has been announced, it has not be completed. Google has said it plans to seek Federal Information Security Management Act (FISMA) certification for it, but it is unclear if, or when such certification might happen.

The right way to have done this, is to have insisted that Google demonstrate the Government Cloud and its security and privacy measures before committing to use it,” said Simpson. “Would any of the Council members buy a car without test driving it? They’ve just voted to adopt a system that hasn’t even been built.” [Not uncommon. Bob]

The $7.25 million contract is actually with Computer Sciences Corp., which will manage the switchover to Google’s system. The Terms of Service agreement with Google is merely an appendix to the main contract, which may make it more difficult to hold Google responsible for any shortcomings in the system, Consumer Watchdog said.

Source: Consumer Watchdog



Another indication that this breach was huge. Eventually, the details will leak out.

http://www.databreaches.net/?p=8027

(Follow-up) Credit cards re-issued in Finland after data breach in Spain

October 28, 2009 by admin Filed under Breach Incidents, Financial Sector, Hack, ID Theft, Non-U.S.

A credit card security breach has been uncovered in Spain that may involve up to tens of thousands of Finnish bank and credit cards.

So far it is not known exactly how many Visa or Master Card accounts have been compromised because of the information breach. Where in Spain the hacking took place is also unclear.

In Finland, the news was first reported on Tuesday by the Finnish Broadcasting Company’s (YLE) main evening news bulletin.

According to Henry Kylänlahti, a Vice President at Luottokunta, a full-service card payment company that provides banks with card payment solutions, it is likely that the target of the hacking has been a Spanish firm in charge of card payment arrangements.

The large volume of the cards for which the information has ended up in the wrong hands indicates that the criminals have managed to gain access to payment processing data.

Read more on Helsingin Sanomat.



Should we emulate Canada?

http://www.pogowasright.org/?p=4807

Tough identity theft law passed

October 27, 2009 by Dissent Filed under Breaches, Legislation, Non-U.S.

The federal government has passed tough new legislation to give police and courts added powers to fight identity theft.

“This legislation … will better address identity theft and provide police with the tools they need to help stop these crimes before they are committed,” Justice Minister Rob Nicholson said in a statement released Tuesday in Ottawa.

Bill S-4 creates three new Criminal Code offences related to identity theft, including:

  • Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime.

  • Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information.

  • Unlawfully possessing or trafficking in government-issued identity documents that contain the information of another person.

Read more on CBC News.



My Business Continuity students agree.

http://www.thetechherald.com/article.php/200944/4689/SMBs-lack-cybersecurity-practices-training-is-something-that-hardly-exists

SMBs lack cybersecurity practices - training is something that hardly exists

by Steve Ragan - Oct 27 2009, 20:15

A study released on Tuesday from the National Cyber Security Alliance (NCSA) and Symantec says that small businesses are simply unprepared when it comes to security policy and actions.

… Of those who took part, 65-percent said they store customer data, 43-percent reported storing financial data, 33-percent keep credit card data, and 20-percent store sensitive company information.

With those figures, it was a mystery when the majority of SMB owners said that the Internet was a critical business service, but they are doing little to actually protect all the stored information accessible to the Web.

… Only 28-percent of U.S. small businesses have formal Internet security policies and just 35-percent provide any training to employees about Internet safety

and security. Yet at the same time, 86-percent of these firms said there isn’t anyone focused solely on IT security. Of the SMBs who said they offer security training, 63-percent actually offer less than five hours a year.

… The full survey is here.



Now do you believe there is a relationship between “social networks” and ubiquitous surveillance? (Note the name) “I've got friends and I need to know where they are at all times!” Clever app

http://news.cnet.com/8301-19882_3-10384727-250.html?part=rss&subj=news&tag=2547-1_3-0-20

Stalqer mobile social app finds friends in new ways

by Rafe Needleman October 27, 2009 9:00 PM PDT

The developers of the iPhone app GasBag, which helps iPhone users find the cheapest gas for their cars, are working on a new mobile friend locator service, Stalqer. This clever and aptly named service has two technologies that are unique, as far as I know, to help it get around two of the big problems found in other friend locators like Foursquare, Loopt, and Google's Latitude.


(Related) Also for my forensic students...

http://www.pogowasright.org/?p=4809

US-CERT warns about free BlackBerry spyware app

October 27, 2009 by Dissent Filed under Surveillance

Elinor Mills reports:

The U.S. Computer Emergency Readiness Team warned BlackBerry users on Tuesday about a new program called PhoneSnoop that allows someone to remotely eavesdrop on phone conversations.

The PhoneSnoop application must be installed on the phone by someone who has physical access to it or by tricking the user into downloading it, the CERT advisory said.

The author of the app, Sheran Gunasekera, director of security for Hermis Consulting in Jakarta, Indonesia, says it wasn’t written to do any actual harm, but rather to warn of the dangers that still exist with the BlackBerry.

The application can be used by anyone to spy on any BlackBerry user’s phone. However, Gunasekera says it is not hidden on the device after it’s installed, so users should be able to easily see it.

Read more on Cnet.

[From the article:

To aid BlackBerry users who asked him how they could protect themselves from being snooped on, he said he released on Tuesday another free tool called "Kisses" that will detect and display hidden programs on the device.

[Available here: Click here to download PhoneSnoop>>



Cyber War: No need to attract attention to the Op, just have the technology ignore you!

http://tech.slashdot.org/story/09/10/28/1211228/Trojan-Kill-Switches-In-Military-Technology?from=rss

Trojan Kill Switches In Military Technology

Posted by Soulskill on Wednesday October 28, @08:46AM from the rockets-falling-out-of-the-sky dept.

Nrbelex writes

"The New York Times reports in this week's Science section that hardware and software trojan kill switches in military devices are an increasing concern, and may have already been used. 'A 2007 Israeli Air Force attack on a suspected, partly-constructed Syrian nuclear reactor led to speculation about why the Syrian air defense system did not respond to the Israeli aircraft. Accounts of the event initially indicated that sophisticated jamming technology was used to blind the radars. Last December, however, a report in an American technical publication, IEEE Spectrum, cited a European industry source in raising the possibility that the Israelis might have used a built-in kill switch to shut down the radars. Separately, an American semiconductor industry executive said in an interview that he had direct knowledge of the operation and that the technology for disabling the radars was supplied by Americans to the Israeli electronic intelligence agency, Unit 8200.'"



Eventually, we'll figure this out.

http://www.maclife.com/article/news/net_neutrality_and_you

Net Neutrality: Follow the Money

Posted 10/27/2009 at 3:47:14pm | by Michelle Delio

… There are good arguments to be made on both sides of the Net Neutrality argument, but those who are currently shaping the conversation have apparently decided not to simply present their business case to the general public. Thankfully no one has yet figured out a way to tie Net Neutrality to Protecting The Children, but tried and true concepts like “Freedom” and “Government Interference” and “Greedy Big Business” plus “Jobs” and “Innovation” are being flung about with great abandon.


(Related) For some years I have advocated a city owned corporation to do the infrastructure which can then be leased to competing providers. Strangely, they hate that idea too.

http://arstechnica.com/tech-policy/news/2009/10/want-50mbps-internet-in-your-town-threaten-to-roll-out-your-own.ars

Want 50Mbps Internet in your town? Threaten to roll out your own

ISPs may not act for years on local complaints about slow Internet—but when a town rolls out its own solution, it's amazing how fast the incumbents can deploy fiber, cut prices, and run to the legislature.

By Nate Anderson | Last updated October 27, 2009 9:40 PM CT



Because it's very important to ensure your automatic target recognition software is not easily hacked.

http://linux.slashdot.org/story/09/10/27/2115243/New-DoD-Memo-On-Open-Source-Software?from=rss

New DoD Memo On Open Source Software

Posted by kdawson on Tuesday October 27, @06:55PM from the rules-of-engagement dept.

dwheeler writes

"The US Department of Defense has just released a new official memo on open source software: 'Clarifying Guidance Regarding Open Source Software (OSS).' (The memo should be up shortly on this DoD site.) This memo is important for anyone who works with the DoD, including contractors, on software and systems that include software; it may influence many other organizations as well. The DoD had released a memo back in 2003, but 'misconceptions and misinterpretations... have hampered effective DoD use and development of OSS.' The new memo tries to counter those misconceptions and misinterpretations, and is very positive about OSS. In particular, it lists a number of potential advantages of OSS, and recommends that in certain cases the DoD release software as OSS."

[Available at: http://www.dwheeler.com/misc/DoD-OSS-memo-2009.pdf