Saturday, February 27, 2010

I thought this was the case... As frequently happens, one story reminds us of other stories no one (few) noticed at the time. (Link to the video is in the article.)

http://www.boingboing.net/2010/02/25/school-administrator.html

School administrator boasts to PBS about his laptop spying

By Cory Doctorow at 10:34 PM February 25, 2010

A few weeks ago, Frontline premiered a documentary called "Digital Nation". In one segment, the vice-principle of Intermediate School 339, Bronx, NY, Dan Ackerman, demonstrates how he "remotely monitors" the students' laptops for "inappropriate use". (his demonstration begins at 4:36)

He says "They don't even realize we are watching," "I always like to mess with them and take a picture," and "9 times out of 10, THEY DUCK OUT OF THE WAY."



The impact of Identity Theft... Think this might impact the Census? What happens if the state you were born in does the same?

http://www.databreaches.net/?p=10229

Shock, confusion after birth certificates voided

February 27, 2010 by admin

Suzanne Gamboa reports:

Native Puerto Ricans living outside the island territory are reacting with surprise and confusion after learning their birth certificates will become no good this summer.

A law enacted by Puerto Rico in December mainly to combat identity theft invalidates as of July 1 all previously issued Puerto Rican birth certificates. That means more than a third of the 4.1 million people of Puerto Rican descent living in the 50 states must arrange to get new certificates. [...and it opens a hole for Identity Thieves to use as well. Bob]

[...]

Puerto Rico’s legislature passed the law after raids last March broke up a criminal ring that had stolen thousands of birth certificates and other identifying documents from several different schools in Puerto Rico.

[...]

As much as 40 percent of the identity fraud in the U.S. involves birth certificates from Puerto Rico, McClintock said he was told by the State Department.

“It’s a problem that’s been growing and as the need in the black market for birth certificates with Hispanic-sounding names grew, the black market value of Puerto Rican birth certificates has gone into the $5,000 to $10,000 range,” McClintock said.

Thus far, there seems to be little effort by the U.S. or Puerto Rican governments to educate the 1.5 million people born in Puerto Rico and living on the mainland about the new law.

Rep. Jose Serrano, D-N.Y., has been getting a steady stream of calls about the law at his district office. Serrano —who must replace his birth certificate, too — said he is trying to provide answers without triggering a panic.

Read more in the Palm Beach Post.

[From the article:

Puerto Ricans on average get about 20 copies of their birth certificates over their lifetimes, said Kenneth McClintock Hernandez, the commonwealth's secretary of state.

This is because they are regularly asked to produce them for such events as enrolling children in school or joining sports leagues. Schools and other institutions have typically kept copies, a practice prohibited under the new law since January, McClintock said.

… He noted there is no deadline for getting a new birth certificate. After July 1, the government will issue a temporary, 15-day certificate for those who need a birth certificate in an emergency.

Puerto Rico birth certificate rules: http://tinyurl.com/yjdudqv



How to guarantee strong Computer Laws (Part III)

http://news.yahoo.com/s/ap/20100226/ap_on_hi_te/eu_britain_twitter

British politicians fall victim to Twitter scam

By RAPHAEL G. SATTER, Associated Press Writer

LONDON – British politicians were among those caught up Friday in the latest Twitter-based scam which hijacks users' accounts to send out sexually explicit messages to friends and followers. [On the other hand, this may win them even more votes in the next election. Bob]



How's this for a class title? “Computer Law for Computer Outlaws”

http://brainz.org/dmca-takedown-101/

DMCA Takedown 101

The Digital Millennium Copyright ACT (DMCA) is one of the best-known and most-controversial pieces of legislation passed in recent years. It has had a greater impact on the Web than virtually any other piece of legislation and is largely responsible for much of the Web we see today.



An indication that social networks look important to the “Music Bid'ness” at last, but perhaps teens have already moved on? Maybe there's a market for a Ghost Blogger?

http://news.cnet.com/8301-31001_3-10460660-261.html?part=rss&subj=news&tag=2547-1_3-0-20

New music acts to labels: 'We won't tweet'

by Greg Sandoval February 26, 2010 12:50 PM PST

… Some new artists signing at both major and indie labels are telling execs there that they'll make music, but don't expect them to do Facebook or Twitter. The labels are saying back that the days when performers--even mega-superstar performers--can keep fans at arms length are over.



There seems to be a difference between the research my students do on Google and that done by the Chinese scientists. Perhaps we could get them to teach a class?

http://search.slashdot.org/story/10/02/26/1717254/Losing-Google-Would-Hit-Chinese-Science-Hard?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Losing Google Would Hit Chinese Science Hard

Posted by ScuttleMonkey on Friday February 26, @01:54PM

An anonymous reader writes to share recent statements by Chinese scientists that indicate troubled waters ahead if Google were to pull out of China.

"More than three-quarters of scientists in China use the search engine Google as a primary research tool and say their work would be significantly hampered if they were to lose it, a survey showed on Wednesday. In the survey, 84 percent said losing Google would 'somewhat or significantly' hamper their research and 78 percent said international collaborations would be affected. 'Research without Google would be like life without electricity,' one Chinese scientist said in the survey, which asked more than 700 scientists for their views."



I have no artistic ability, so I find these sites interesting.

http://www.makeuseof.com/dir/3d-pack-create-a-3d-box

3D-pack: Create A 3D Box View For Your Product

http://3d-pack.com/

3D-BoxMaker lets you create a 3D view of your product within seconds. Just upload individual images of the cover, top, side and backside – the tool will then take them and create a 3D view. It lets you create 3d boxes in form of CD box, DVD box and Book.

Supported image formats are jpg, png and gif. Once the 3D view is created, you can rotate it in any direction to get a 360 degree view and download it to your computer.

Friday, February 26, 2010

How big is this problem? If hundreds of companies are breached, do we have a problem hundreds of times larger than Heartland or TJX? Another big question: Will any of these companies be able to fully comply? (I doubt it.)

http://www.databreaches.net/?p=10171

FTC seeks extensive information from firms being investigated for P2P breaches

This entry was posted Friday, 26 February, 2010 at 9:42 am

Jaikumar Vijayan of Computerworld was able to see a redacted copy of a letter (Civil Investigative Demand) sent by the FTC to some of the organizations who were found to be leaking information via P2P networks:

It showed the agency is seeking information, dating back to mid-2007, on a wide-range of technology and process-related topics.

For instance, the FTC is asking for detailed information on the types of personal information being collected by the company, the purpose for which it is being used, and how the data is collected, shared and stored.

The letter seeks “detailed descriptions” on how the company compiles, maintains and stores personal information, as well as “high-level diagrams setting out the flow paths” of personal information from source to the point of use.

The company is also required to identify by name, location and operating system every computer that is used to collect and store personal information. In addition, it is required to provide a “narrative” or a blueprint that describes network components in minute detail, down to individual firewalls and routers, and even database tables and field names containing personal data.

The FTC is also requiring any information the company has about its knowledge of the data leaks. The details sought include who knew about the breaches, when, what attempts the company made to inform affected individuals, and why P2P software was allowed to be installed on a company system.

Read more on Computerworld.

Since these are “non-public” investigations, I’m not sure how much we’ll eventually find out, but these investigations and any actions may become a ‘cautionary tale’ for entities that still allow P2P on their networks or allow employees to transfer data to be taken home and used on computers that may have P2P software on them.



Banks have no duty to protect small business customers, right? This will make it harder to convince them their money is safe when they use online banking...

http://www.databreaches.net/?p=10181

Recommended: The Curious Case of EMI v. Comerica

February 26, 2010 by admin

David Navetta writes:

Security breaches in the online banking world continue to yield interesting lawsuits (you can read about three others in this post). The latest online banking lawsuit filed by Experi-Metal Inc. (“EMI”) against Comerica (the “EMI Lawsuit”) provides some new wrinkles that could further illuminate the boundaries of “reasonable security” under the law. Brian Krebs has a good article summarizing the case. In addition, bankinfosecurity.com has a recent article on this matter (in which yours truly was quoted). In this post we take a look at the EMI Lawsuit, consider some legal questions that the case raises, and analyze how it might impact the question of what constitutes “reasonable security” under the law.

Read his commentary and legal analysis on InformationLawGroup.



Coming soon to a legislature near you! How to guarantee strong Computer Laws (part II) “This is serious! Not like those leaks that only impact second-class citizens!”

http://www.databreaches.net/?p=10175

Data on hundreds of politicians leaked

This entry was posted Friday, 26 February, 2010 at 9:47 am

Karin Spaink provides an English summary of a recent breach reported in Dutch media:

The addresses, telephone numbers, mobile phone numbers, home e-mail addresses and work e-mail addresses of hundreds of politicians (all members of the PvdA, the Dutch social democrats) and a number of their sponsors are out in the open. Although the list focuses on party members in the Amsterdam area, it also contains the data of the chair of the Dutch Parliament and several members of the European Parliament. Google has indexed the file. A few hours after the news was published and the owners of the website were contacted, they managed to close the open directory.

Translated and summarized from Webwereld, Feb. 25, 2010



Understand the Cloud, because it is coming at you...

http://www.redbooks.ibm.com/abstracts/redp4614.html

Cloud Security Guidance IBM Recommendations for the Implementation of Cloud Security

An IBM Redpaper publication


(Related)

ftp://ftp.software.ibm.com/common/ssi/sa/wh/n/diw03004usen/DIW03004USEN.PDF

The Benefits of Cloud Computing


(Related) Maybe not every use of Cloud Computing will be beneficial... Watch the short video and decide for yourself. (I've grabbed a copy for my students.)

http://www.phiprivacy.net/?p=2060

GE healthymagination.com ad depicts discomfort with loss of privacy

By Dissent, February 25, 2010 3:31 pm

Aha! I’ve been waiting to find this on the Internet and thanks to MesoRx, I’ve found it:

[Get your own copy... Bob]

I agree with Millard Baker completely. Every time I see that ad run on TV I wonder if GE realizes that it’s ad backfires somewhat. Yes, it demonstrates the virtue of having one’s medical records available quickly, but it also depicts a very awkward-feeling patient who wants to protect his privacy from so many others’ eyes.

Is that how you see the ad, too?


(Related) Isn't this the same thing that's done for “physical” ailments? What's the beg deal? If you're innocent, you have noting to worry about. If you're not paranoid, you have nothing to worry about.

http://www.phiprivacy.net/?p=2065

NJ Psych Association sues State Health Benefits Commission, Horizon Healthcare Services and Magellan Health Services over patient confidentiality

By Dissent, February 25, 2010 3:47 pm

Susan K. Livio reports:

A psychologists group is suing two insurance companies and an administrative agency that serve 800,000 state employees, saying they are routinely demanding therapists hand over confidential patient information as a condition of getting paid.

The New Jersey Psychological Association accuses the state Health Benefits Commission, along with Horizon Blue Cross Blue Shield of New Jersey and Magellan Health Services, of telling therapists to turn over “treatment notes revealing patient thoughts and feelings revealed during therapy, and the treating psychologist’s specific guidance and counseling,’’ according to the lawsuit filed in Superior Court in Mercer County.

Read more on NJ.com.



How to commit computer crime. Oops, too late – you've already been victimized.

http://developers.slashdot.org/story/10/02/26/0542206/Anatomy-of-a-SQL-Injection-Attack?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Anatomy of a SQL Injection Attack

Posted by timothy on Friday February 26, @05:03AM

Trailrunner7 writes

"SQL injection has become perhaps the most widely used technique for compromising Web applications, thanks to both its relative simplicity and high success rate. It's not often that outsiders get a look at the way these attacks work, but a well-known researcher is providing just that. Rafal Los showed a skeptical group of executives just how quickly he could compromise one of their sites using SQL injection, and in the process found that the site had already been hacked and was serving the Zeus Trojan to visitors."

Los's original blog post has more and better illustrations, too.



Computer law for Computer Cops, Computer Psychologists, etc.

http://games.slashdot.org/article.pl?sid=10/02/26/0641244

Examining Virtual Crimes

Posted by Soulskill on Friday February 26, @01:41AM

GamePolitics has an article about a research paper issued by the AU government's Institute of Criminology titled "Crime Risks of Three-Dimensional Virtual Environments." The paper discusses the legal questions raised by game worlds and avatars, ranging from regulation of in-game currency to a report of virtual rape.

"A person controlling an avatar that is unexpectedly raped or assaulted might experience the physical reaction of 'freezing,' or the associated shock, distrust and loss of confidence in using [3D virtual environments]. While civil redress for psychological harm is conceivable, the 'disembodied' character of such an incident would invariably bar liability for any crime against the person. However, Australian federal criminal law imposes a maximum penalty of three years imprisonment for using an internet carriage service to 'menace, harass or cause offence' to another user. Further, US and Australian laws ban simulated or actual depictions of child abuse and pornography. Therefore, any representations of child avatars involved in virtual sexual activity, torture or physical abuse are prohibited, regardless of whether the real-world user is an adult or child."



We don't discuss the things we don't discuss. (Otherwise our citizens would want to discuss the things we don't discuss, and that would be disgusting!)

http://yro.slashdot.org/story/10/02/26/0128226/Aussie-Internet-Censorship-Minister-Censors-Self?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Aussie Internet Censorship Minister Censors Self

Posted by timothy on Thursday February 25, @10:50PM

An anonymous reader writes

"Communications Minister Stephen Conroy, the minister attempting to ram the great firewall of Oz down everyone's throat has been removing all traces of the unpopular legislation from his main website with a JavaScript filter. From the article: 'It was revealed today a script within the minister's homepage deliberately removes references to internet filtering from the list. In the function that creates the list, or "tag cloud," there is a condition that if the words "ISP filtering" appear they should be skipped and not displayed.' Bear in mind, this is the same minister that tried to get the ISP of tech forum Whirlpool to pull the site after users there posted a response email from the ACMA (Australian Communications and Media Authority)."



There should be a few interesting ones. Finding them is always a problem. Note: This is a great way to use PowerPoint!

http://news.slashdot.org/story/10/02/25/2341229/Next-Week-500-Geek-Talks-Around-the-World?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Next Week, 500+ Geek Talks Around the World

Posted by timothy on Thursday February 25, @07:42PM

Brady Forrest writes

"Next week, from March 1-5 there will be ~65 Ignite events happening around the world. Ignite is an opportunity for geeks to share their passions and ideas with local peers. Each speaker gets 20 slides that each auto-advance after 15 seconds for a total of just 5 minutes. The result is bite-size chunks of information that inform the crowd on new topics. Most of the Ignites will be streamed on the new Ignite video site."

Ignite Denver 6 Tuesday, March 2, 2010 - 18:00 · The Rackhouse Pub www.rackhousepub.com 208 South Kalamath Street

Ignite Fort Collins 4 Friday, March 5, 2010 - 01:00 · 802 West Drake Road, Suite 101, Fort Collins, Colorado



I love lists. I love free stuff. How could I pass on a list of free stuff?

http://www.smashapps.org/2010/02/free-open-source-software-for-windows.html

Free Open-Source Software For Windows



A list of applications, some that I might even use!

http://www.maclife.com/article/feature/15_great_services_you_had_no_idea_google_offered?page=0%2C0

15 Awesome Google Services You Never Knew Existed

Posted 02/25/2010 at 4:04:31pm | by Florence Ion



Tools & Techniques for Hackers

http://www.makeuseof.com/tag/hirens-boot-cd-allinone-boot-cd/

Hiren’s Boot CD – The All-In-One Boot CD For Every Need

Thursday, February 25, 2010

How to motivate lawmakers to take Computer Security seriously? Imagine the reaction in this country!

http://www.databreaches.net/?p=10146

Cyber-whistleblower stuns Latvia with tax heist

This entry was posted Wednesday, 24 February, 2010 at 3:30 pm

The Associated Press provides more info on a breach previously reported on this site that may have resulted in the acquisition of 7.4 million confidential files by a hacker’s group calling themselves the Fourth Awakening People’s Army (4ATA):

One of the group’s members, who uses the name “Neo” — apparently in reference to the hero of the popular “Matrix” films — has been making some of the documents available on the Internet.

On Wednesday “Neo” published salaries of members of Latvia’s police force and, in comments on a Twitter account, said “I call on the police union to analyze the data and determine whether the salary reform is fair and to continue the fight against crime.”

Earlier this week “Neo” released data showing that the CEO of Riga’s heating company, Aris Zigurs, paid himself a 16,000 lat ($32,000) bonus last year — a hefty sum for a city-owned utility, especially at a time when many municipal workers have had their salaries slashed. Zigurs confirmed to Latvian media the data was accurate.

Read more on KIDK.

[From the article:

The nation's security council discussed the breach and expressed concern that only 50 percent of the country's 175 state-run data systems have security oversight. President Valdis Zatlers called for immediate action to install proper security on all systems.



Insurance would depend on the bank's security procedures. If the bank happens to own the insurance company, you probably can't get a policy.

http://www.databreaches.net/?p=10144

Firm Faces Bankruptcy from $164,000 E-Banking Loss

This entry was posted Wednesday, 24 February, 2010 at 3:25 pm

Brian Krebs has a piece reminding us that businesses don’t have the same protection as individuals when bank accounts are hit by fraud and/or when the cause of the breach is that the user’s system was infected by malware:

A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.

Karen McCarthy, owner of Merrick, N.Y. based Little & King LLC, a small promotions company, discovered on Monday, Feb. 15 that her firm’s bank account had been emptied the previous Friday. McCarthy said she immediately called her bank – Cherry Hill, N.J. based TD Bank – and learned that between Feb. 10 and Feb. 12, unknown thieves had made five wire transfers out of the account to two individuals and two companies with whom the McCarthys had never had any prior business.

Read more on KrebsonSecurity.com

[From the article:

Krebsonsecurity spoke briefly with John G. McCluskey, vice president of TDBank’s corporate security and investigations. McCluskey referred all questions about the incident to the bank’s marketing department, [Does this suggest that the bank's Risk department has no clue how to address this? Bob] which hasn’t returned calls seeking additional information and comment.



I wonder what “adequate security” would have cost?

http://www.databreaches.net/?p=10142

Cost Of A Breach, Heartland Style: At Least $129 Million; Might Be $229 Million

This entry was posted Wednesday, 24 February, 2010 at 3:20 pm

Evan Schuman comments:

In its latest financial report, Heartland Payment Systems reported that it dropped $129 million on data breach costs last year (an incident that briefly placed Heartland on Visa’s Bad Breach Boy list). The company added that it still has a reserve of $100 million for additional expenses.

As a processor, Heartland’s pain is certainly much more severe than what would be inflicted on a retailer involved in a similarly large breach. But $229 million is starting to look like real money.

Read more on StorefrontBacktalk.



Learning to speak Lawyer: “No evidence” means they can ignore all the “anecdotal” complaints.

http://www.phiprivacy.net/?p=2050

Tennessee: No evidence stolen personal information being used, BlueCross says

By Dissent, February 24, 2010 1:21 pm

Andy Sher reports:

No identity theft or credit card fraud has been found stemming from the October theft of 57 computer hard drives containing BlueCross customers’ personal information, a company official told state lawmakers today.

“No sir,” Clay Phillips, BlueCross’ director and associate general counsel for state affairs, told Sen. Ken Yager, R-Harriman. “We monitor that daily.”

Mr. Phillips said the Chattanooga-based insurer has had a “couple” of notifications that members’ company-issued identification number were “exposed.” But he emphasized that BlueCross officials tracked the cases down and were able to “determine that none of it is the result of this exposure.”

BlueCross’ update to Senate State and Local Government Committee members is the latest action the company has taken following the theft of the computer hard drives from an abandoned BlueCross training center at the Eastgate Center in Chattanooga.

Read more in the Chattanooga Free Times Press.

[From the article:

The company has spent more than $7 million to identify the scope of what was stolen and to notify those affected, officials have previously said. Millions of dollars more are likely to be spent.

“The risk of exposure (to customers) is actually very small,” Mr. Phillips said in response to another lawmaker’s question. “As you can see from how long it’s actually taking us using 800 employees to get at this data, it’s very difficult to ‘mine’ data like this.” [Perhaps my Intro to Computer Security students could help? Or the Latvian whistle blower in the article above? Bob]

Asked whether there were any suspects, Mr. Phillips said he could not publicly say. [Possible translations: “No one told me.” OR “Yes” OR “We don't have a clue.” Bob]



Again....

http://www.wired.com/threatlevel/2010/02/ftc-identity-theft-no-1-consumer-complaint/

FTC: Identity Theft Is No. 1 Consumer Complaint

The complete 101-page report (.pdf) is available here.



Also a “learning to speak lawyer” article, and more “spin” in the “WebCamGate” story. I fail to understand why they don't say “There was no photo” if that was the case? Why dance around if they are guilty?

http://news.cnet.com/8301-19518_3-10459240-238.html?part=rss&subj=news&tag=2547-1_3-0-20

High-school disciplinarian denies Webcam spying

by Larry Magid February 24, 2010 2:59 PM PST

Responding to what she called "many false allegations reported about me in the media," Harriton High School Assistant Vice Principal Lynn Matsko gave an emotional response on Wednesday morning to allegations that she played any role in the alleged remote activation of a student's school-issued laptop Webcam to spy on the student at home.

… With anger apparent in her voice, Matsko read a statement in which she said "at no point in time did I have the ability to access any Webcam through security-tracking software. At no time have I ever monitored a student via a laptop Webcam, nor have I ever authorized the monitoring of a student via security-tracking Webcam either at school or in the home. And I never would."

… You can listen to the entire 5-and-a-half-minute statement, courtesy of CBS radio station KYW Newsradio 1060 Philadelphia.

… After Matsko's statement, Blake Robbins read a statement (PDF) from his family saying that "nothing in Ms. Matsko's statement is inconsistent with what we stated in our complaint. Ms. Matsko does not deny that she saw a Webcam picture and screenshot of Blake in his home; she only denies that she is the one who activated the Webcam."

… You can listen to Blake Robbins read the 4 minute, 15 second statement here on KYW Newsradio's site.



Worth a look...

http://www.internetevolution.com/tutorial-cloud-security.asp

New Video Tutorial: Cloud Computing Security‏

Internet Evolution's latest video tutorial on cloud computing security identifies the challenges and offers checklists to consider and solutions, where available. The tutorial, hosted by security expert and Wikibon founder David Vellante, is divided into 10 questions to allow viewers to dig into the topics they care about most.



For some values of “Reasonable”

http://www.pogowasright.org/?p=7989

Tennessee Supreme Court to Hear Right to Privacy Issue

February 25, 2010 by Dissent

The Baker Associates blog discusses a case coming before the Tennessee Supreme Court:

…. The right to privacy, however, does have some limitations. One of those limitations is that the right does not exist where the person has no reasonable expectation [Different from “Some” reasonable expectation and dependent on the definition of “Reasonable” Bob] of privacy. There can be a plethora of reasons for why a person may have a diminished expectation of privacy, and one of those reasons is set to come before the Tennessee Supreme Court on its upcoming docket. In an upcoming case styled State v. Talley, the Court will decide if the defendant had a reasonable expectation of privacy with regard to the common areas of his condominium complex, a common area to which many third parties had unrestricted access. In this case, detectives had performed a warrantless search of the common areas by asking a third party if they could come inside the condominium and look around and obtaining consent to do so. They then gathered evidence that was in plain view in order to provide them with probable cause to execute the search later. The defendant contended that the search was unconstitutional, but his motion was unsuccessful.

While it is true that defendants do not generally have a reasonable expectation of privacy with regard to places where a numerous amount of third parties have unfettered access, some circumstances in this case suggest that law enforcement officials may have overstepped their constitutional boundaries.

Read more on Baker Associates.


(Related)

http://www.pogowasright.org/?p=7992

On Fourth Amendment Privacy: Everybody’s Wrong

February 25, 2010 by Dissent

Jim Harper of the Cato Institute writes:

Everybody’s wrong. That’s sort of the message I was putting out when I wrote my 2008 American University Law Review law review article entitled “Reforming Fourth Amendment Privacy Doctrine.”

A lot of people have poured a lot of effort into the “reasonable expectation of privacy” formulation Justice Harlan wrote about in his concurrence to the 1967 decision in U.S. v. Katz. But the Fourth Amendment isn’t about people’s expectations or the reasonableness of their expectations. It’s about whether, as a factual matter, they have concealed information from others—and whether the government is being reasonable in trying to discover that information.

Read more here or even better, listen to the podcast here.



It's for your own good! We need this to diagnose and fix “problems” This is the kind of help I can do without!

http://it.slashdot.org/story/10/02/24/235249/GoDaddy-Wants-Your-Root-Password?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

GoDaddy Wants Your Root Password

Posted by samzenpus on Wednesday February 24, @07:20PM

Johnny Fusion writes

"The writer of the Securi Security Blog had an alarming awakening when a honeypot on port 22 on a GoDaddy-hosted VPS recorded login attempts using his GoDaddy username and password and even an attempt to login as root. It turns out the attempt was actually from within GoDaddy's network. Before he could 'alert' GoDaddy about the security breach, he got an email from GoDaddy Demanding his root login credentials. There is an update where GoDaddy explains itself and says they will change policy."



There is probably no good way to do this. But this seems far from the best available choice...

http://www.pogowasright.org/?p=7982

Microsoft takes down Cryptome, but Cryptome will be back

February 25, 2010 by Dissent

John Young of Cryptome.org has been a thorn in the side of numerous businesses and government agencies for posting documents that they would rather not be seen by the public, such as those marked For Official Use Only, or lawful compliance guides issued by ISPs and providers that detail what kinds of information they maintain on subscribers that they can provide to law enforcement. But now Microsoft has used copyright law to take down Cryptome over its publication of their Microsoft® Online Services Global Criminal Compliance Handbook .

[ … ]

Of course, if Microsoft wanted to keep the manual quiet, the takedown notice ended any thought of that. The manual has now been mirrored all over the Internet, including Wikileaks.

Microsoft, meet Streisand.



No one seems to distort the facts more than a lawyer working for a Copyright Trust.

http://news.slashdot.org/story/10/02/24/1812244/Use-Open-Source-Then-Youre-a-Pirate?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Use Open Source? Then You're a Pirate!

Posted by ScuttleMonkey on Wednesday February 24, @03:59PM

superapecommando writes

"There's a fantastic little story in the Guardian today that says a US lobby group is trying to get the US government to consider open source as the equivalent to piracy. The International Intellectual Property Alliance (IIPA), an umbrella group for American publishing, software, film, television and music associations, has asked the US Trade Representative (USTR) to consider countries like Indonesia, Brazil, and India for its 'Special 301 watchlist' because they encourage the use of open source software. A Special 301, according to Guardian's Bobbie Johnson is: 'a report that examines the "adequacy and effectiveness of intellectual property rights" around the planet — effectively the list of countries that the US government considers enemies of capitalism. It often gets wheeled out as a form of trading pressure — often around pharmaceuticals and counterfeited goods — to try and force governments to change their behaviors.'"



I'm going to save this study for my “How to Stalk” class.

http://science.slashdot.org/story/10/02/24/2343219/Cell-Phone-Data-Predicts-Movement-Patterns?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Cell Phone Data Predicts Movement Patterns

Posted by samzenpus on Thursday February 25, @01:26AM

azoblue writes

"In a study published in Science, researchers examined customer location data culled from cellular service providers. By looking at how customers moved around, the authors of the study found that it may be possible to predict human movement patterns and location up to 93 percent of the time."

[From the article:

Cell phone companies store records of customers' locations based on when the customers' phones connect to towers during calls. Researchers realized that taking this data and paring it down to users who place calls more frequently might allow them to see if they could develop any measure of how predictable human movements and locations are.

… Customers that stuck to the same six-mile radius had predictability rates of 97 to 93 percent, and this fell off as the typical area of travel grew. But the predictability eventually stabilized, and remained at 93 percent even as the radius of travel rose to thousands of miles. Regardless of how widely they traveled, the researchers could adequately predict their locations, down to the specific tower, 93 percent of the time.


(Related) If they can track anyone but crooks, is anyone they can't track a crook?

http://www.wired.com/gadgetlab/2010/02/car-thieves-use-gps-jammers-to-make-a-clean-getaway/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Car Thieves Use GPS Jammers to Make Clean Getaway



We're a long way from computers “spontaneously” selecting topics to learn in an attempt to outdo humans. What I'd like to know is if the computer is using “rules” similar to those I learned when I was becoming the preeminent kazoo player of the third grade..

http://tech.slashdot.org/story/10/02/24/2315204/Triumph-of-the-Cyborg-Composer?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Triumph of the Cyborg Composer

Posted by samzenpus on Wednesday February 24, @08:58PM

An anonymous reader writes

"UC Santa Cruz emeritus professor David Cope's software, nicknamed Emmy, creates beautiful original music. So why are people so angry about that? From the article: 'Cope attracted praise from musicians and computer scientists, but his creation raised troubling questions: If a machine could write a Mozart sonata every bit as good as the originals, then what was so special about Mozart? And was there really any soul behind the great works, or were Beethoven and his ilk just clever mathematical manipulators of notes?'"



I tend to believe this study, but then I grew up in the “Dragnet” culture (Just the facts, mam) Are “Individualist” and Communitarian” code words for Conservative and Liberal?

http://science.slashdot.org/story/10/02/24/2332234/Beliefs-Conform-to-Cultural-Identities?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Beliefs Conform to Cultural Identities

Posted by samzenpus on Wednesday February 24, @11:07PM

DallasMay writes

"This article describes an experiment that demonstrates that people don't put as much weight on facts as they do their own belief about how the world is supposed to work. From the article: 'In one experiment, Braman queried subjects about something unfamiliar to them: nanotechnology — new research into tiny, molecule-sized objects that could lead to novel products. "These two groups start to polarize as soon as you start to describe some of the potential benefits and harms," Braman says. The individualists tended to like nanotechnology. The communitarians generally viewed it as dangerous. Both groups made their decisions based on the same information. "It doesn't matter whether you show them negative or positive information, they reject the information that is contrary to what they would like to believe, and they glom onto the positive information," Braman says.'"



Perhaps not as good as dedicated mindmapping software, but more people should be familiar with it...

http://www.makeuseof.com/tag/build-mind-map-microsoft-word/

How To Build a Mind Map In Microsoft Word



A tool for my students who claim they don't like to read...

http://www.makeuseof.com/dir/carryouttext-convert-text-into-mp3

CarryOutText: Convert Text Into MP3 Audio

Wednesday, February 24, 2010

We need more computer forensic training at the high school level, we need ethics training at the school district level, and we need lawyers trained on digital evidence. I expect someone will be following this case microscopically, and we will get to see the evidence! (Please don't settle out of court!)

http://yro.slashdot.org/story/10/02/23/2030207/Federal-Judge-Orders-Schools-To-Stop-Laptop-Spying?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Federal Judge Orders Schools To Stop Laptop Spying

Posted by kdawson on Tuesday February 23, @06:03PM

CWmike writes

"A federal judge on Monday ordered the Pennsylvania school district accused of spying on its students to stop activating the cameras in school-issued MacBook laptops. According to the original complaint, Blake Robbins was accused by a Harriton High School assistant principal of 'improper behavior in his home' and shown a photograph taken by his laptop as evidence. In an appearance on network television last Saturday, Robbins said he was accused by the assistant principal of selling drugs and taking pills — but he claimed the pictures taken by his computer's camera showed him eating candy. Also on Monday, the company selling the software used by the school district to allegedly spy on its students blasted what it called laptop theft-recovery 'vigilantism.'"

jamie found two posts from stryde.hax pointing out suggestive information about one school district network administrator, and coaching students how to determine if their school-issued laptops were infected with the LANRev software used to operate the cameras remotely and in secret.

[From the “suggestive information” article:

In this post, Perbix discusses methods for remotely resetting the firmware lockout used to prevent jailbreaking of student laptops. A jailbreak would have allowed students to monitor their own webcam to determine if administrators were truly taking pictures or if, as the school administration claimed, the blinking webcams were just "a glitch." [First time I've seen this claim. Bob]

… In a September 2009 post that may come to haunt this investigation, Perbix posted a scripting method for remote enable/disable of the iSight camera in the laptops. This post makes a lot more sense when Perbix puts it in context on an admin newsgroup, in a post which makes it clear that his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration:

… The truly amazing part of this story is what's coming out from comments from the students themselves. Some of the interesting points:

  • Possession of a monitored Macbook was required for classes

  • Possession of an unmonitored personal computer was forbidden and would be confiscated [It's our way or the highway... Bob]

… When I spoke at MIT about the wealth of electronic evidence I came across regarding Chinese gymnasts, I used the phrase "compulsory transparency". I never thought I would be using the phrase to describe America, especially so soon, but that appears to be exactly the case.

"Hi, I'm a 2009 Graduate of Harriton Highschool. [...] I and a few of my fellow peers were suspicious of this sort of activity when we first received the laptops. The light next to the web cam would randomly come on, whether we were in class, in study hall or at home minding our own business. We reported it multiple times, each time getting the response: "It's only a malfunction. if you'd like we'll look into it and give you a loaner computer."

… What amazes me most is that the family and lawyer filing the suit appear to have done no digital forensics going in, and no enterprising student hacker ever jailbroke a laptop and proved this was going on. The greatest threat to this investigation now is the possibility that the highly trained technical staff at LMSD could issue a LANRev script to wipe digital forensic evidence off all the laptops. This is why it is imperative for affected parents to have the hard drive removed from their children's laptops and digitally imaged before the laptop is connected to a network. With enough persistence, and enough luck, we may eventually learn the truth.

[You've read the stories, now buy the T-shirt!”

http://www.zazzle.com/lower_merion_school_district_scandal_parody_tshirt-235568003500926676


(Related) Digital evidence falls under the “need to capture” envelope – just with more urgency.

http://hardware.slashdot.org/story/10/02/23/2210224/Avoiding-a-Digital-Dark-Age?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Avoiding a Digital Dark Age

Posted by kdawson on Tuesday February 23, @06:49PM

al0ha writes to recommend a worthwhile piece up at American Scientist on the problems of archiving and data preservation in an age where all data are stored digitally.

"It seems unavoidable that most of the data in our future will be digital, so it behooves us to understand how to manage and preserve digital data so we can avoid what some have called the 'digital dark age.' This is the idea — or fear! — that if we cannot learn to explicitly save our digital data, we will lose that data and, with it, the record that future generations might use to remember and understand us. ... Unlike the many venerable institutions that have for centuries refined their techniques for preserving analog data on clay, stone, ceramic or paper, we have no corresponding reservoir of historical wisdom to teach us how to save our digital data. That does not mean there is nothing to learn from the past, only that we must work a little harder to find it."


(Related) Gee, maybe the school didn't need a warrant either?

http://yro.slashdot.org/story/10/02/24/025225/Utah-Considers-Warrantless-Internet-Subpoenas?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Utah Considers Warrantless Internet Subpoenas

Posted by kdawson on Wednesday February 24, @08:10AM

seneces writes

"The Utah State Legislature is considering a bill granting the Attorney General's Office the ability to demand customer information from Internet or cell phone companies via an administrative subpoena, with no judicial review (text of the HB150). This represents an expansion of a law passed last year, which granted that ability when 'it is suspected that a child-sex crime has been committed.' Since becoming law, last year's bill has led to more than one non-judicial request per day for subscriber information. Pete Ashdown, owner of a local ISP and 2006 candidate for the US Senate, has discussed his position and the effects of this bill."



Is this as easy as stealing candy from babies?

http://yro.slashdot.org/story/10/02/23/2236254/Criminals-Hide-Payment-Card-Skimmers-In-Gas-Pumps?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Criminals Hide Payment-Card Skimmers In Gas Pumps

Posted by kdawson on Tuesday February 23, @07:36PM

tugfoigel writes

"Wave of recent bank-card skimming incidents demonstrate how sophisticated the scam has become. Criminals hid bank card-skimming devices inside gas pumpsin at least one case, even completely replacing the front panel of a pump [and no one notices! Bob] — in a recent wave of attacks that demonstrate a more sophisticated, insidious method of stealing money from unsuspecting victims filling up their gas tanks. Some 180 gas stations in Utah, from Salt Lake City to Provo, were reportedly found with these skimming devices sitting inside the gas pumps. The scam was first discovered when a California bank's fraud department discovered that multiple bank card victims reporting problems had all used the same gas pump at a 7-Eleven store in Utah." [Fairly specific data – not just the same gas station. Bob]



No surprise.

http://www.pogowasright.org/?p=7960

Italian Court Finds Google Violated Privacy

February 24, 2010 by Dissent

Eric Sylvers and Eric Pfanner report:

Three Google executives were convicted of violating Italian privacy laws on Wednesday in a case that the company says could undermine freedom of expression on the Internet.

The case involved online videos showing an autistic boy being bullied by classmates in Turin. They were posted in 2006 on Google Video, an online video-sharing service that Google started before its acquisition of YouTube.

[...]

The officials who were found guilty are Peter Fleischer, Google’s chief privacy counsel; [Attention CPOs! Bob] David Drummond, senior vice president and chief legal officer, and George Reyes, a former chief financial officer. They executives, who were named because Italian law holds corporate executives responsible for a company’s actions, received six-month suspended sentences.

While the executives were found guilty of privacy violations, they were cleared of charges of defamation.

Though the executives will not have to serve prison time, the verdicts are nonetheless a black eye for Google, potentially tarnishing its self-styled “don’t be evil” image.

Read more in the New York Times.

The AFP reports:

Each executive was given a six-month suspended sentence for violation of privacy, [Google spokesperson Bill] Echikson told AFP today, adding that Google would appeal the verdict.

And the BBC provides some reactions from the defendants:

David Drummond, chief legal officer at Google and one of those convicted, said he was “outraged” by the decision.

“I intend to vigorously appeal this dangerous ruling. It sets a chilling precedent,” he said.

“If individuals like myself and my Google colleagues who had nothing to do with the harassing incident, its filming or its uploading onto Google Video can be held criminally liable solely by virtue of our position at Google, every employee of any internet hosting service faces similar liability,” he added.

Peter Fleischer, privacy counsel at Google, was also found guilty.

He questioned how many internet platforms would be able to continue if the decision held.

“I realise I am just a pawn in a large battle of forces, but I remain confident that today’s ruling will be over-turned on appeal,” he said.



“Yeah they look young and innocent now, but all Texans are potential criminals!”

http://www.pogowasright.org/?p=7966

Suit possible over baby DNA sent to military lab for national database

February 24, 2010 by Dissent

Mary Ann Roser reports:

An Austin lawyer threatened to pursue a new federal lawsuit Monday after learning that some newborn blood samples in Texas went to the U.S. military for potential use in a database for law enforcement purposes.

The Department of State Health Services never mentioned the database to Jim Harrington, director of the Texas Civil Rights Project, who settled a lawsuit in December with the state over the indefinite storage of newborn blood without parental consent, or to the American-Statesman, which first reported on the little-known blood storage practice last spring. Harrington said he thought another suit was likely unless the health department destroys the information obtained from the blood samples or obtains consent.

[...]

An article Monday by the Texas Tribune, a news Web site, said the state health department sent 800 anonymous samples to the military to help create a national mitochondrial DNA database. The samples were sent in 2003 and 2007, according to the department’s Web site.

Carrie Williams, a health department spokeswoman, said the program wasn’t mentioned because, “We don’t publicize every agency initiative or contract, and obviously this is a sensitive topic.”

Read more in the American-Statesman.



If the US doesn't even make the “Top 10%” let alone the “Top 10” (we're number 19) are we a “second rate country?”

http://www.bespacific.com/mt/archives/023600.html

February 23, 2010

New ITU Report: Measuring the Information Society 2010

News release: "Prices for information and communication technology (ICT) services are falling worldwide, yet broadband Internet remains outside the reach of many in poor countries, ITU says in its Measuring the Information Society 2010 report released today. The report features the latest ICT Development Index (IDI), which ranks 159 countries according to their ICT level and compares 2007 and 2008 scores. "The report confirms that despite the recent economic downturn, the use of ICT services has continued to grow worldwide," says Sami Al Basheer Al Morshid, Director of ITU’s Telecommunication Development Bureau (BDT). All 159 countries included in the IDI have improved their ICT levels, and mobile cellular technology continues to be a key driver of growth. In 2010, ITU expects the global number of mobile cellular subscriptions to top five billion. "At the same time, the report finds that the price of telecommunication services is falling — a most encouraging development," said Mr Al Basheer. The IDI combines 11 indicators into a single measure that can be used as a benchmarking tool globally, regionally, and at national level, as well as helping track progress over time. It measures ICT access, use and skills, and includes such indicators as households with a computer, the number of fixed broadband Internet subscribers, and literacy rates. The world’s Top 10 most advanced ICT economies features eight countries from Northern Europe, with Sweden topping the IDI for the second year in a row. The Republic of Korea and Japan rank third and eighth, respectively."



For my Access database class (Why do these guides always come out at the end of the Quarter?)

http://www.makeuseof.com/tag/quick-guide-started-microsoft-access-2007/

A Quick Guide To Get Started With Microsoft Access 2007

Tuesday, February 23, 2010

The school district must be thrilled with this case by now...

http://www.pogowasright.org/?p=7949

Another twist in “webcamgate:” was the student’s laptop “missing?”

February 22, 2010 by Dissent

New revelations in The Philadelphia Inquirer hint that there may have been an innocent explanation for why the Lower Merion School District reportedly activated a webcam while the laptop was in the student’s home.

On the same day that a court issued a temporary restraining order that bars the district from reactivating the remote security system and orders them to preserve all electronic evidence, Dan Hardy, Derrick Nunnally, and John Shiffman report:

District spokesman Douglas Young yesterday repeated that the security program was developed to help recover lost or stolen laptops, and added: “This included tracking loaner laptops that may, against regulations, have been taken off campus.”

The wealthy Lower Merion district purchased Apple MacBook laptops for all 2,300 students in its Harriton and Lower Merion High Schools.

But the district requires all students to pay a $55 insurance fee, with a $100 deductible if they are damaged or lost, according to a 2009 letter to parents from Harriton principal Steven R. Kline. “No uninsured laptops are permitted off campus,” Kline wrote.

Each school has a pool of “loaner laptops” available for students who haven’t paid the fee. Asked if Robbins took a loaner computer home without authorization, Young declined to comment.

Was Blake Robbins’ laptop an uninsured laptop that was seemingly “missing” because it left campus? It’s not clear from the news coverage as the district did not answer that question and the family would not speak with the reporter. But this case could soon find itself on very wobbly legs if it turns out that the student triggered security monitoring by removing a laptop from campus that should not have been removed.

The reporters also reveal that some students had confronted the administration last year about the potential for students to be spied on via the iSight system and encouraged the administration to inform the student body about any surveillance policies. No statement was reportedly issued, however, despite the students contacting the administration again to express their concerns.

Read more in The Philadelphia Inquirer and MyFoxPhilly.com.

[From the MyFoxPhilly article:

The school district has already admitted and apologized for never letting students or parents know about the webcam technology.

… The question is whether that admitted failure to notify is a smoking gun that will cost the district big time in a civil lawsuit.

… David Post, a Temple University law professor who specializes in Internet issues, told Fox 29 News, "The failure to get permission was just a colossal mistake on their part. I mean, there's no other way, as a legal matter, as sort of a moral matter, as a school administrative matter – somebody dropped the ball on that. I mean, we all make mistakes…"

Is that the kind of thing that could cost the district? "Oh, absolutely," Post said.

… Fox 29 News called the president of the teachers' union, the Lower Merion Education Association, and asked whether Harriton teachers use district-issued laptops. The answer was "yes."

Asked whether those teachers knew the computers could be used as a remote camera, the answer was "no comment." [Which is Union-speak for: We have to see how this will play out in contract negotiations...” Bob]

[From the Inquirer article:

A laptop security program at Lower Merion schools was, when triggered, set up to snap multiple photos of whoever was using the computer, a district computer employee said in a 2008 webcast. [So who saw this webcast? Perhaps parents and students DID know about the cameras. The webcast make it sound like the camera starts whenever it attaches to the school server... Bob]

As an example, network technician Mike Perbix said, the system snapped as many as 20 photos of a teacher and some students without their knowledge while they were in a high school classroom during regular classes.


(Related) Do you have a camera in your laptop?

http://news.cnet.com/8301-19518_3-10457737-238.html?part=rss&subj=news&tag=2547-1_3-0-20

Many ways to activate Webcams sans spy software



Why don't they comply with state breach reporting requirements? Someone thinks the breach is harmless... (i.e. Their name wasn't on the list.)

http://www.databreaches.net/?p=10122

FEATURED: HHS starts to reveal healthcare breaches reported to government

This entry was posted Tuesday, 23 February, 2010 at 11:33 am

When HITECH was passed as part of the stimulus bill, it introduced new data breach notification requirements, including a requirement that breaches of unsecured personal health information held by covered entities or their business associates affecting more than 500 individuals be reported to the U.S. Department of Health & Human Services.

The requirement was somewhat watered down in the final regulations that introduced a harm threshold for reporting, and it seems that HHS has decided that its obligation is to provide a summary of the reports filed by entities instead of uploading the actual reporting forms, but the web site for such reports is now displaying summary reports received by HHS since September 23, 2009.

Many of the incidents reported have never been revealed in the media even though affected individuals may have been notified: 24 of the 36 reports below were never previously reported on this site or PHIprivacy.net.

It is not clear why HHS is seemingly shielding the name of private practitioners as if the whole purpose of this provision of the HITECH Act was to inform the public, shielding the names of doctors does not further that goal.

In the following list, breaches indicated by asterisks have not been reported in the media or included on this site previously.

[List omitted Bob]



So easy, a caveman can do it! Or the students in my Computer Security classes

http://news.slashdot.org/story/10/02/22/2353257/How-Banker-Trojans-Steal-Millions-Every-Day?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

How Banker Trojans Steal Millions Every Day

Posted by kdawson on Monday February 22, @09:33PM

redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts.

"Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."


(Related) A specific example? And an interesting test case. Let the Amicus briefs fly!

http://www.databreaches.net/?p=10114

Customer Vs. Bank: Who is Liable for Fraud Losses?

This entry was posted Monday, 22 February, 2010 at 3:40 pm

Linda McGlasson writes:

At first this court case was a curiosity: Experi-Metal Inc. (EMI), a Michigan-based metal supply company, sued Comerica Bank, claiming that the bank exposed its customers to phishing attacks.

But now this story shapes up as a significant test case for the banking industry, raising several key questions that must be answered about fraud and responsibility.

“It will establish who is liable in the U.S. – the bank or the customer – for fraud losses that result from phishing,” says Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy & Research.

Read more on BankInfoSecurity.com

[From the article:

While EMI and Comerica argue over liability, Gartner's Litan says the nation's legislators and banking regulators bear the bulk of the blame for such breaches. "It's their job to set the rules for soundness and safety of the U.S. banking system, and to enforce that the banks execute those rules," she says. "They are negligent here - in not passing legislation that protects business accounts (as Reg E protects consumer accounts) and in not enforcing security measures at the banks, as set forth by the FFIEC strong authentication guidance," Litan says.


(Related)

http://www.databreaches.net/?p=10129

Another business sues its bank over unauthorized ACH transactions

This entry was posted Tuesday, 23 February, 2010 at 11:38 am

Brian Krebs on another case where a business is suing its bank over unauthorized transactions that were not credited or reversed by the bank:

On Feb. 10, Hudson, N.H. based Cynxsure LLC received a voicemail message from its bank, Swift Financial, a Wilmington, Del. institution that focuses on offering financial services to small businesses. The message said to contact the bank to discuss an automated clearing house (ACH) payment batch that had been posted to Cynxsure’s account.

The next day, Cynxsure’s owner Keith Wolters returned the call and learned from Swift that someone had put through an unauthorized batch of ACH transfers totaling $96,419.30. The batch payment effectively added 10 new individuals to the company’s payroll, sending each slightly less than $10,000. None of the individuals had any prior business or association with Cynxsure.

Read more on KrebsonSecurity.com.

[From the article:

Swift, like all commercial banking institutions serving businesses in the United States, is required under federal guidelines to secure customer transactions using some form of “multi-factor authentication,” or something else in addition to just a user name and password.

Swift and many other commercial banks have chosen to adopt a technology that requires business customers to “register” the computer they use to do online banking, by answering a set of “secret questions.” Customers are generally prompted to answer these questions if they try to access their accounts from a new computer or if the customer tries to log in to his or her account using an Internet address that the bank has never seen associated with that account before.

Wolters said the bank told him that whoever initiated the bogus transaction did so from another Internet address in New Hampshire, and successfully answered two of his secret questions.


(Related)

http://www.databreaches.net/?p=10111

Widespread Data Breaches Uncovered by FTC Probe

This entry was posted Monday, 22 February, 2010 at 2:11 pm

The Federal Trade Commission has notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud. The agency also has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks. To help businesses manage the security risks presented by file-sharing software, the FTC is releasing new education materials that present the risks and recommend ways to manage them.

… “Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk. For example, we found health-related information, financial records, and drivers’ license and social security numbers–the kind of information that could lead to identity theft,” said FTC Chairman Jon Leibowitz. “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.

… The FTC also recommended that the entities identify affected customers and employees and consider whether to notify them that their information is available on P2P networks. Many states and federal regulatory agencies have laws or guidelines about businesses’ notification responsibilities in these circumstances.



Strategy for Cyber Security?

http://yro.slashdot.org/story/10/02/22/2113205/An-Interview-With-Cybersecurity-Czar-Howard-Schmidt?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

An Interview With Cybersecurity Czar Howard Schmidt

Posted by ScuttleMonkey on Monday February 22, @05:29PM

Trailrunner7 writes to tell us that US cybersecurity czar Howard Schmidt recently gave an interview where he discusses his career and what he sees as the priorities of the positions.

"Howard Schmidt has been involved in just about every aspect of the security industry during his career. After stints in the Air Force and at Microsoft, he served as a cybersecurity advisor to George W. Bush. Now, after heading back to the private sector for several years, he's been appointed to serve as President Obama's security advisor."

[Listen to the podcast here: http://threatpost.com/en_us/blogs/howard-schmidt-cyber-security-czar-cybercrime-and-how-fix-federal-cyber-security-122209



The equation: “celebrity” patient + desire for advertising + paperazzi = no privacy may need to be modified to include “celebrity lawsuit”

http://www.phiprivacy.net/?p=2036

Charlie Sheen’s Wife In New Rehab, Plans Suit

By Dissent, February 22, 2010 8:31 pm

Brooke Mueller, Charlie Sheen’s wife, is in a new rehab facility and she plans to sue the one she just left for allegedly violating her privacy … TMZ has learned.

Brooke’s lawyer, Yale Galanter, tells TMZ, “Brooke was forced to leave The Canyon rehab facility because of the security breach.” As TMZ first reported, someone from the facility leaked Brooke’s admission form to the media, which contained very personal information about her substance abuse.

Galanter says he will file a lawsuit on behalf of Brooke against The Canyon and plans “to have the individual responsible for leaking the information arrested.”

Read more on TMZ.


(Related) Would the court expand this to non-governmental entities?

http://www.pogowasright.org/?p=7945

Ninth Circuit addresses “actual damages” under the Privacy Act

February 22, 2010 by Dissent

A new ruling from the Ninth Circuit in Cooper v. FAA addresses the meaning of “actual damages” in the Privacy Act. The case arose when federal agencies shared information without consent in “Operation Safe Pilot:”

The Privacy Act of 1974, 5 U.S.C. § 552a et seq. (the Act), prohibits federal agencies from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency” without the consent of “the individual to whom the record pertains,” unless the disclosure falls within one or more enumerated exceptions to the Act. Id. § 552a(b). The Act also creates a private cause of action against an agency for its wilful or intentional violation of the Act that has “an adverse effect on an individual,” and allows for the recovery of “actual damages” sustained as a result of such a violation. Id. § § 552a(g)(1)(D), (g)(4)(A).

Plaintiff Stanmore Cawthon Cooper claims to have sustained actual damages as the result of an interagency exchange of information performed as part of a joint criminal investigation by Defendants Federal Aviation Administration (FAA), Social Security Administration (SSA), and Department of Transportation (DOT) (collectively, the Government). Cooper seeks actual damages for nonpecuniary injuries, such as humiliation, mental anguish, and emotional distress, as a result of the unauthorized interagency disclosure of his medical information; he does not claim any pecuniary or out-of-pocket losses.

Because Cooper seeks damages only for nonpecuniary injuries, the district court granted summary judgment to the Government, after holding that the Act allows recovery only for pecuniary damages. We hold that actual damages under the Act encompasses both pecuniary and nonpecuniary damages. We reverse and remand to the district court.

Read the court opinion here.



Why would anyone (even Marketing) do something like this?

http://games.slashdot.org/story/10/02/23/0656238/Patent-Markings-May-Spell-Trouble-For-Activision?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Patent Markings May Spell Trouble For Activision

Posted by Soulskill on Tuesday February 23, @06:41AM

eldavojohn writes

"If you pick up your copy of Guitar Hero and read the literature, you'll notice it says 'patent pending' and cites a number of patents. A group alleges no such patent pends nor are some of the patents applicable. If a judge finds Activision guilty of misleading the public in this manner, they could become liable for up to $500 per product sold under false patent marking. The patents in question seem to be legitimately Guitar Hero-oriented, and little is to be found about the mysterious group. The final piece of the puzzle puts the filing in Texas Northern District Court, which might be close enough to Texas Eastern District Court to write this off as a new kind of 'false patent marking troll' targeting big fish with deep coffers."



Bad science is bad science. If both side spend all their time 'debunking' each other, who is actually studying climate? (A common problem when science is politically driven.)

http://news.slashdot.org/story/10/02/23/0158232/Debunking-a-Climate-Change-Skeptic?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Debunking a Climate-Change Skeptic

Posted by kdawson on Tuesday February 23, @01:01AM

DJRumpy writes

"The Danish political scientist Bjørn Lomborg won fame and fans by arguing that many of the alarms sounded by environmental activists and scientists — that species are going extinct at a dangerous rate, that forests are disappearing, that climate change could be catastrophic — are bogus. A big reason Lomborg was taken seriously is that both of his books, The Skeptical Environmentalist (in 2001) and Cool It (in 2007), have extensive references, giving a seemingly authoritative source for every one of his controversial assertions. So in a display of altruistic masochism that we should all be grateful for (just as we're grateful that some people are willing to be dairy farmers), author Howard Friel has checked every single citation in Cool It. The result is The Lomborg Deception, which is being published by Yale University Press next month. It reveals that Lomborg's work is 'a mirage,' writes biologist Thomas Lovejoy in the foreword. '[I]t is a house of cards. Friel has used real scholarship to reveal the flimsy nature' of Lomborg's work."



Free is good (and often very useful) For my website and presentation classes

http://techcrunch.com/2010/02/22/fotolia-lets-you-animate-photos-with-flixtime/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Fotolia Lets You Animate Photos With Flixtime

by Leena Rao on Feb 22, 2010

Microstock photography giant Fotolia is launching a new site, called Flixtime, that allows users to create simple video slideshows. Similar to the simplicity of Animoto, Flixtime allows you to produce 60-second videos from your photos easily and quickly.

Once you register for a free account, you’ll be upload your own photos or stock photos from Fotolia’s selection of images. You can also upload your own music, or choose from Fotolia’s stock music collection. And you can add text to any slide as well.

Once you create a video, you can share the file to Facebook, Twitter, YouTube and other destinations. You can also choose to download the file to your computer for further editing.



For my Business majors

http://www.wired.com/magazine/2010/02/ff_futureofmoney?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

The Future of Money: It’s Flexible, Frictionless and (Almost) Free



The future of portable storage, but I want one now! (Eye catching headline, too)

http://www.wired.com/gadgetlab/2010/02/compactflash-cards-could-soon-hold-petabytes-of-data/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

In the Future, One CF Card Will Hold 200 Years’ Worth of Porn

By Dylan F. Tweney February 22, 2010 3:09 pm