The school district must be thrilled with this case by now...
http://www.pogowasright.org/?p=7949
Another twist in “webcamgate:” was the student’s laptop “missing?”
February 22, 2010 by Dissent
New revelations in The Philadelphia Inquirer hint that there may have been an innocent explanation for why the Lower Merion School District reportedly activated a webcam while the laptop was in the student’s home.
On the same day that a court issued a temporary restraining order that bars the district from reactivating the remote security system and orders them to preserve all electronic evidence, Dan Hardy, Derrick Nunnally, and John Shiffman report:
District spokesman Douglas Young yesterday repeated that the security program was developed to help recover lost or stolen laptops, and added: “This included tracking loaner laptops that may, against regulations, have been taken off campus.”
The wealthy Lower Merion district purchased Apple MacBook laptops for all 2,300 students in its Harriton and Lower Merion High Schools.
But the district requires all students to pay a $55 insurance fee, with a $100 deductible if they are damaged or lost, according to a 2009 letter to parents from Harriton principal Steven R. Kline. “No uninsured laptops are permitted off campus,” Kline wrote.
Each school has a pool of “loaner laptops” available for students who haven’t paid the fee. Asked if Robbins took a loaner computer home without authorization, Young declined to comment.
Was Blake Robbins’ laptop an uninsured laptop that was seemingly “missing” because it left campus? It’s not clear from the news coverage as the district did not answer that question and the family would not speak with the reporter. But this case could soon find itself on very wobbly legs if it turns out that the student triggered security monitoring by removing a laptop from campus that should not have been removed.
The reporters also reveal that some students had confronted the administration last year about the potential for students to be spied on via the iSight system and encouraged the administration to inform the student body about any surveillance policies. No statement was reportedly issued, however, despite the students contacting the administration again to express their concerns.
Read more in The Philadelphia Inquirer and MyFoxPhilly.com.
[From the MyFoxPhilly article:
The school district has already admitted and apologized for never letting students or parents know about the webcam technology.
… The question is whether that admitted failure to notify is a smoking gun that will cost the district big time in a civil lawsuit.
… David Post, a Temple University law professor who specializes in Internet issues, told Fox 29 News, "The failure to get permission was just a colossal mistake on their part. I mean, there's no other way, as a legal matter, as sort of a moral matter, as a school administrative matter – somebody dropped the ball on that. I mean, we all make mistakes…"
Is that the kind of thing that could cost the district? "Oh, absolutely," Post said.
… Fox 29 News called the president of the teachers' union, the Lower Merion Education Association, and asked whether Harriton teachers use district-issued laptops. The answer was "yes."
Asked whether those teachers knew the computers could be used as a remote camera, the answer was "no comment." [Which is Union-speak for: We have to see how this will play out in contract negotiations...” Bob]
[From the Inquirer article:
A laptop security program at Lower Merion schools was, when triggered, set up to snap multiple photos of whoever was using the computer, a district computer employee said in a 2008 webcast. [So who saw this webcast? Perhaps parents and students DID know about the cameras. The webcast make it sound like the camera starts whenever it attaches to the school server... Bob]
As an example, network technician Mike Perbix said, the system snapped as many as 20 photos of a teacher and some students without their knowledge while they were in a high school classroom during regular classes.
(Related) Do you have a camera in your laptop?
http://news.cnet.com/8301-19518_3-10457737-238.html?part=rss&subj=news&tag=2547-1_3-0-20
Many ways to activate Webcams sans spy software
Why don't they comply with state breach reporting requirements? Someone thinks the breach is harmless... (i.e. Their name wasn't on the list.)
http://www.databreaches.net/?p=10122
FEATURED: HHS starts to reveal healthcare breaches reported to government
This entry was posted Tuesday, 23 February, 2010 at 11:33 am
When HITECH was passed as part of the stimulus bill, it introduced new data breach notification requirements, including a requirement that breaches of unsecured personal health information held by covered entities or their business associates affecting more than 500 individuals be reported to the U.S. Department of Health & Human Services.
The requirement was somewhat watered down in the final regulations that introduced a harm threshold for reporting, and it seems that HHS has decided that its obligation is to provide a summary of the reports filed by entities instead of uploading the actual reporting forms, but the web site for such reports is now displaying summary reports received by HHS since September 23, 2009.
Many of the incidents reported have never been revealed in the media even though affected individuals may have been notified: 24 of the 36 reports below were never previously reported on this site or PHIprivacy.net.
It is not clear why HHS is seemingly shielding the name of private practitioners as if the whole purpose of this provision of the HITECH Act was to inform the public, shielding the names of doctors does not further that goal.
In the following list, breaches indicated by asterisks have not been reported in the media or included on this site previously.
[List omitted Bob]
So easy, a caveman can do it! Or the students in my Computer Security classes
http://news.slashdot.org/story/10/02/22/2353257/How-Banker-Trojans-Steal-Millions-Every-Day?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
How Banker Trojans Steal Millions Every Day
Posted by kdawson on Monday February 22, @09:33PM
redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts.
"Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."
(Related) A specific example? And an interesting test case. Let the Amicus briefs fly!
http://www.databreaches.net/?p=10114
Customer Vs. Bank: Who is Liable for Fraud Losses?
This entry was posted Monday, 22 February, 2010 at 3:40 pm
Linda McGlasson writes:
At first this court case was a curiosity: Experi-Metal Inc. (EMI), a Michigan-based metal supply company, sued Comerica Bank, claiming that the bank exposed its customers to phishing attacks.
But now this story shapes up as a significant test case for the banking industry, raising several key questions that must be answered about fraud and responsibility.
“It will establish who is liable in the U.S. – the bank or the customer – for fraud losses that result from phishing,” says Tom Wills, Senior Analyst, Security, Fraud & Compliance, Javelin Strategy & Research.
Read more on BankInfoSecurity.com
[From the article:
While EMI and Comerica argue over liability, Gartner's Litan says the nation's legislators and banking regulators bear the bulk of the blame for such breaches. "It's their job to set the rules for soundness and safety of the U.S. banking system, and to enforce that the banks execute those rules," she says. "They are negligent here - in not passing legislation that protects business accounts (as Reg E protects consumer accounts) and in not enforcing security measures at the banks, as set forth by the FFIEC strong authentication guidance," Litan says.
(Related)
http://www.databreaches.net/?p=10129
Another business sues its bank over unauthorized ACH transactions
This entry was posted Tuesday, 23 February, 2010 at 11:38 am
Brian Krebs on another case where a business is suing its bank over unauthorized transactions that were not credited or reversed by the bank:
On Feb. 10, Hudson, N.H. based Cynxsure LLC received a voicemail message from its bank, Swift Financial, a Wilmington, Del. institution that focuses on offering financial services to small businesses. The message said to contact the bank to discuss an automated clearing house (ACH) payment batch that had been posted to Cynxsure’s account.
The next day, Cynxsure’s owner Keith Wolters returned the call and learned from Swift that someone had put through an unauthorized batch of ACH transfers totaling $96,419.30. The batch payment effectively added 10 new individuals to the company’s payroll, sending each slightly less than $10,000. None of the individuals had any prior business or association with Cynxsure.
Read more on KrebsonSecurity.com.
[From the article:
Swift, like all commercial banking institutions serving businesses in the United States, is required under federal guidelines to secure customer transactions using some form of “multi-factor authentication,” or something else in addition to just a user name and password.
Swift and many other commercial banks have chosen to adopt a technology that requires business customers to “register” the computer they use to do online banking, by answering a set of “secret questions.” Customers are generally prompted to answer these questions if they try to access their accounts from a new computer or if the customer tries to log in to his or her account using an Internet address that the bank has never seen associated with that account before.
Wolters said the bank told him that whoever initiated the bogus transaction did so from another Internet address in New Hampshire, and successfully answered two of his secret questions.
(Related)
http://www.databreaches.net/?p=10111
Widespread Data Breaches Uncovered by FTC Probe
This entry was posted Monday, 22 February, 2010 at 2:11 pm
The Federal Trade Commission has notified almost 100 organizations that personal information, including sensitive data about customers and/or employees, has been shared from the organizations’ computer networks and is available on peer-to-peer (P2P) file-sharing networks to any users of those networks, who could use it to commit identity theft or fraud. The agency also has opened non-public investigations of other companies whose customer or employee information has been exposed on P2P networks. To help businesses manage the security risks presented by file-sharing software, the FTC is releasing new education materials that present the risks and recommend ways to manage them.
… “Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information at risk. For example, we found health-related information, financial records, and drivers’ license and social security numbers–the kind of information that could lead to identity theft,” said FTC Chairman Jon Leibowitz. “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.
… The FTC also recommended that the entities identify affected customers and employees and consider whether to notify them that their information is available on P2P networks. Many states and federal regulatory agencies have laws or guidelines about businesses’ notification responsibilities in these circumstances.
Strategy for Cyber Security?
http://yro.slashdot.org/story/10/02/22/2113205/An-Interview-With-Cybersecurity-Czar-Howard-Schmidt?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
An Interview With Cybersecurity Czar Howard Schmidt
Posted by ScuttleMonkey on Monday February 22, @05:29PM
Trailrunner7 writes to tell us that US cybersecurity czar Howard Schmidt recently gave an interview where he discusses his career and what he sees as the priorities of the positions.
"Howard Schmidt has been involved in just about every aspect of the security industry during his career. After stints in the Air Force and at Microsoft, he served as a cybersecurity advisor to George W. Bush. Now, after heading back to the private sector for several years, he's been appointed to serve as President Obama's security advisor."
[Listen to the podcast here: http://threatpost.com/en_us/blogs/howard-schmidt-cyber-security-czar-cybercrime-and-how-fix-federal-cyber-security-122209
The equation: “celebrity” patient + desire for advertising + paperazzi = no privacy may need to be modified to include “celebrity lawsuit”
http://www.phiprivacy.net/?p=2036
Charlie Sheen’s Wife In New Rehab, Plans Suit
By Dissent, February 22, 2010 8:31 pm
Brooke Mueller, Charlie Sheen’s wife, is in a new rehab facility and she plans to sue the one she just left for allegedly violating her privacy … TMZ has learned.
Brooke’s lawyer, Yale Galanter, tells TMZ, “Brooke was forced to leave The Canyon rehab facility because of the security breach.” As TMZ first reported, someone from the facility leaked Brooke’s admission form to the media, which contained very personal information about her substance abuse.
Galanter says he will file a lawsuit on behalf of Brooke against The Canyon and plans “to have the individual responsible for leaking the information arrested.”
Read more on TMZ.
(Related) Would the court expand this to non-governmental entities?
http://www.pogowasright.org/?p=7945
Ninth Circuit addresses “actual damages” under the Privacy Act
February 22, 2010 by Dissent
A new ruling from the Ninth Circuit in Cooper v. FAA addresses the meaning of “actual damages” in the Privacy Act. The case arose when federal agencies shared information without consent in “Operation Safe Pilot:”
The Privacy Act of 1974, 5 U.S.C. § 552a et seq. (the Act), prohibits federal agencies from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency” without the consent of “the individual to whom the record pertains,” unless the disclosure falls within one or more enumerated exceptions to the Act. Id. § 552a(b). The Act also creates a private cause of action against an agency for its wilful or intentional violation of the Act that has “an adverse effect on an individual,” and allows for the recovery of “actual damages” sustained as a result of such a violation. Id. § § 552a(g)(1)(D), (g)(4)(A).
Plaintiff Stanmore Cawthon Cooper claims to have sustained actual damages as the result of an interagency exchange of information performed as part of a joint criminal investigation by Defendants Federal Aviation Administration (FAA), Social Security Administration (SSA), and Department of Transportation (DOT) (collectively, the Government). Cooper seeks actual damages for nonpecuniary injuries, such as humiliation, mental anguish, and emotional distress, as a result of the unauthorized interagency disclosure of his medical information; he does not claim any pecuniary or out-of-pocket losses.
Because Cooper seeks damages only for nonpecuniary injuries, the district court granted summary judgment to the Government, after holding that the Act allows recovery only for pecuniary damages. We hold that actual damages under the Act encompasses both pecuniary and nonpecuniary damages. We reverse and remand to the district court.
Read the court opinion here.
Why would anyone (even Marketing) do something like this?
http://games.slashdot.org/story/10/02/23/0656238/Patent-Markings-May-Spell-Trouble-For-Activision?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
Patent Markings May Spell Trouble For Activision
Posted by Soulskill on Tuesday February 23, @06:41AM
eldavojohn writes
"If you pick up your copy of Guitar Hero and read the literature, you'll notice it says 'patent pending' and cites a number of patents. A group alleges no such patent pends nor are some of the patents applicable. If a judge finds Activision guilty of misleading the public in this manner, they could become liable for up to $500 per product sold under false patent marking. The patents in question seem to be legitimately Guitar Hero-oriented, and little is to be found about the mysterious group. The final piece of the puzzle puts the filing in Texas Northern District Court, which might be close enough to Texas Eastern District Court to write this off as a new kind of 'false patent marking troll' targeting big fish with deep coffers."
Bad science is bad science. If both side spend all their time 'debunking' each other, who is actually studying climate? (A common problem when science is politically driven.)
http://news.slashdot.org/story/10/02/23/0158232/Debunking-a-Climate-Change-Skeptic?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
Debunking a Climate-Change Skeptic
Posted by kdawson on Tuesday February 23, @01:01AM
DJRumpy writes
"The Danish political scientist Bjørn Lomborg won fame and fans by arguing that many of the alarms sounded by environmental activists and scientists — that species are going extinct at a dangerous rate, that forests are disappearing, that climate change could be catastrophic — are bogus. A big reason Lomborg was taken seriously is that both of his books, The Skeptical Environmentalist (in 2001) and Cool It (in 2007), have extensive references, giving a seemingly authoritative source for every one of his controversial assertions. So in a display of altruistic masochism that we should all be grateful for (just as we're grateful that some people are willing to be dairy farmers), author Howard Friel has checked every single citation in Cool It. The result is The Lomborg Deception, which is being published by Yale University Press next month. It reveals that Lomborg's work is 'a mirage,' writes biologist Thomas Lovejoy in the foreword. '[I]t is a house of cards. Friel has used real scholarship to reveal the flimsy nature' of Lomborg's work."
Free is good (and often very useful) For my website and presentation classes
http://techcrunch.com/2010/02/22/fotolia-lets-you-animate-photos-with-flixtime/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29
Fotolia Lets You Animate Photos With Flixtime
by Leena Rao on Feb 22, 2010
Microstock photography giant Fotolia is launching a new site, called Flixtime, that allows users to create simple video slideshows. Similar to the simplicity of Animoto, Flixtime allows you to produce 60-second videos from your photos easily and quickly.
Once you register for a free account, you’ll be upload your own photos or stock photos from Fotolia’s selection of images. You can also upload your own music, or choose from Fotolia’s stock music collection. And you can add text to any slide as well.
Once you create a video, you can share the file to Facebook, Twitter, YouTube and other destinations. You can also choose to download the file to your computer for further editing.
For my Business majors
http://www.wired.com/magazine/2010/02/ff_futureofmoney?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29
The Future of Money: It’s Flexible, Frictionless and (Almost) Free
The future of portable storage, but I want one now! (Eye catching headline, too)
http://www.wired.com/gadgetlab/2010/02/compactflash-cards-could-soon-hold-petabytes-of-data/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29
In the Future, One CF Card Will Hold 200 Years’ Worth of Porn
By Dylan F. Tweney February 22, 2010 3:09 pm