The plot thickens! Good summary of the case so far. Indications of a typical “we never thought of that” attitude.
http://www.pogowasright.org/?p=8138
Two Lower Merion School District IT workers placed on leave
March 4, 2010 by Dissent
Joseph Tanfani reports:
Two information-technology employees at Lower Merion School District have been placed on leave while an investigation continues into the use of remote surveillance software on student laptops. [“Paid leave” is one thing, “unpaid leave” suggests they are going to be the scapegoats. Bob]
The two people authorized to activate the software – Michael Perbix, a network technician, and Carol Cafiero, information systems coordinator – were put on paid leave last week while lawyers and technicians examine how the remote system was used, The Inquirer learned today.
Lawyers for Cafiero and Perbix said their clients did nothing wrong. Perbix and Cafiero only turned on the remote software when a laptop was reported missing, they said – and administrators knew what they were doing.
“A phone call had to come from the high school to turn it on,” [“Phone call” suggests no written records? And should I read “from the high school” to suggest these guys were in another location? Bob] said Charles Mandracchia, attorney for Cafiero. “And if it was turned on it was turned on with the understanding that the computer was either lost or stolen.”
Read more on Philly.com
[From the article:
Their lawyers said the use of the software was no secret. [Except from parents and students of course. Bob] On at least two occasions, the district turned over pictures and other information to Lower Merion police so they could help track stolen laptops.
The school district even set up a secure Web site so the police could have access to pictures and other information, according to attorneys in the case. [New, but not surprising. Who, beside the police, had access? Bob]
… In each case, the tracking has to be turned on for an individual computer. Once that happens, the program will begin snapping photos and recording the computer's Internet location at regular intervals, as long as the laptop is on, open and connected to the Internet.
At Lower Merion, that interval was usually set at the default, 15 minutes.
… Once, he said, he turned it on and found out that a computer that was thought missing was really in a classroom; by the time he checked, the camera had snapped 20 pictures of a teacher and students, he said. [20 pictures, 15 minutes apart... That's 4hours & 45 minutes to determine that the computer is in a classroom? Bob]
… "There were enough policies in place that no one was running amok with these systems," Neff said. But no one in the district's administration office made those policies official.
"Unfortunately, I don't think they were written policies that were adopted by administrators," Neff said.
(Related) Some background on the school district. Would you believe the high school cost $100 million?
http://www.philly.com/philly/news/20100303_L__Merion_schools_a_picture_in_polarity.html?viewAll=y
L. Merion schools a picture in polarity
… The results are evident in the twin Taj Mahals of academia rising up in the district - the $100 million new Harriton High, which opened last fall with its three gyms and greenhouse and passive solar lighting, and the nearly identical new Lower Merion High under construction. There are the little touches, too, like Sushi Thursdays.
Maybe it's just a negotiating tactic, maybe they know how Identity Theft works. I suspect the latter.
http://www.databreaches.net/?p=10437
Alaska state employees’ union wants more protection after breach
March 4, 2010 by admin
The Alaska State Employees Association (ASEA) is seemingly unhappy with the two-year benefits plan being offered to over 77,000 state employees whose data were lost by PricewaterhouseCooper. The personal information included their names, social security numbers, and dates of birth. ASEA represents almost 8,000 of the state employees.
In a press release issued today, ASEA indicates that it has a number of concerns regarding the loss of the information and the state’s response:
ASEA does not believe that the state’s offer of two years of free identity theft protection relieves the state of responsibility for the incident. It is ASEA’s position that the state should be responsible for any damage that may result, including damage that occurs outside this arbitrary two-year window. [I like it! Bob]
The state’s decision to make employees protect themselves, by explicitly enrolling in the identity theft protection program, is backwards. [Agreed! Bob] Affected individuals should be enrolled automatically. ASEA also believes that the state remains responsible for any harm, regardless of whether an individual has explicitly requested the protection service.
Jim Duncan, ASEA/AFSCME Local 52 Business Manager said, “It could be extremely damaging to those individuals whose data has been lost, and the state’s response appears to be insufficient.”
Duncan has sent a letter to Annette Kreitzer, Commissioner of the Department of Administration, expressing the union’s concerns and asking for additional information about the nature of the loss of this information:
The information was lost when Price/Waterhouse moved office locations. In what form was the information when it was lost? Was it on a Compact Disc (Electronic) or was it on paper (Files)? Did the information include the names and confidential information for beneficiaries of the active and retired employees? Are people still looking for the files? Have the police been asked to investigate this loss? What efforts have been taken to find the missing information?
All good questions. Why weren’t they answered in the notification sent to those affected?
(Related) Either “somebody gets it” or “Somebody is really scared”
http://www.databreaches.net/?p=10420
HOW many years of free credit alerts?
March 4, 2010 by admin
I don’t know if this is some kind of record, but the Iowa Racing and Gaming Commission is notifying people who were affected by the security breach reported in January that they can get an additional 7 years of fraud victim alerts on their credit reports at no charge. The story’s here.
Does anyone remember seeing breach that offered more than that?
[From the article:
Commission Administrator Jack Ketterer said the commission is unaware of any incident of identity theft related to the breach. [So what are they worried about? Bob]
Interesting point!
http://www.phiprivacy.net/?p=2152
RSA: Identity Theft Challenges for Healthcare
By Dissent, March 5, 2010 8:08 am
Tony Kontzer reports:
The phenomenon of medical identity theft is on the rise, and healthcare companies face more challenges in addressing the issue than their counterparts in the financial services industry, a panel of experts agreed Thursday at the RSA 2010 conference in San Francisco.
The Federal Trade Commission estimates the number of American patients victimized by medical ID theft each year at 250,000, and research firm Javelin Group recently reported that while the number of incidents is relatively low in comparison with financial identity theft, the financial impact of medical IT thefts is much higher because of the astronomical costs of medical care.
Ryan Brewer, chief information security officer for the Centers for Medicare & Medicaid Services (CMS), said the financial industry has done a good job of dealing with this, in part by sending the all-too-familiar letters alerting customers of suspected data breaches and re-issuing affected credit cards. Such simple actions won’t work for healthcare firms, Brewer said. “How often have you gotten a letter from a healthcare provider saying, ‘We had some data stolen, and we’re issuing you a new blood type’?” he asked.
Read more on CIO Insight.
No fact too obscure! After all, they might find a new way to tax us. Especially if the Greens can influence the lawmakers. Garbage = sin tax!
http://www.pogowasright.org/?p=8147
Some Brits fear garbage-spying microchips
March 5, 2010 by Dissent
Raphael G. Satter of the Associated Press reports:
Monitored by millions of cameras and spied on by a secretive domestic intelligence network, Britons could be forgiven for feeling up in arms over the latest threat to their privacy: Intelligent garbage bins that can monitor how much they throw out.
Although the technology is already nearly a decade old, a U.K. privacy rights group says the number of local authorities fitting their trash bins with sensors of some kind has risen dramatically in the past year — affecting at least 2.6 million British households.
Big Brother Watch says the practice could lead to Britons being charged for how much they throw out — and effectively allow the government to go through their garbage.
Read more in the Chicago Tribune.
This is run by lawyers? How techie of them! Think of all the other areas of the law where we could “automate the lawyering”
http://www.makeuseof.com/dir/privacypolicygenerator-privacy-policy-for-your-website
PrivacyPolicyGenerator: Generate A Privacy Policy For Your Website
… One option is to hire a legal adviser to write the policy; however, a more reasonable alternative is a new web tool called PrivacyPolicyGenerator. It provides you an easy way to generate a privacy policy for your website.
Implemented by a team of legal advisers, the tool generates a privacy policy for your website after you answer a couple of quick questions. Once generated, you can make changes to it or simply copy the HTML to implement on your website. The policy is not meant to be 100% accurate for your website, but serves as a good starting point.
www.privacy-policy-generator.legalriver.com
Trust us. You don't need to worry about those silly laws you've been pointing to. We absolutely will allow you to see (some of) your file. You only need to hire a lawyer and wait a few years!
http://www.pogowasright.org/?p=8131
US tries to soothe EU privacy worries
March 4, 2010 by Dissent
Aoife White reports:
A U.S. official said Thursday that Europeans are wrong to believe that they have few rights to see what information the U.S. government holds on them — a misperception that is holding up a key counterterrorism program.
[...]
Parliamentarians have also demanded more safeguards from the U.S. They also complain that U.S. privacy laws do not grant any rights to people outside the United States to access or challenge information held by U.S. agencies.
The Department of Justice’s chief privacy officer Nancy Libin said non-U.S. citizens could use other legal means to see information.
An example would be a person denied entry to the U.S. who wanted to ask the Department of Homeland Security if it held any information that might affect a visa application.
Libin said non-U.S. citizens have the right to make freedom of information requests to see what data U.S. government agencies hold on them and can take U.S. legal action to get access to the information.
Read more on BusinessWeek.
Hey! You're the one who put your information in the public domain! We just gathered it up!
http://www.pogowasright.org/?p=8135
Website Archives Personal Information
March 4, 2010 by Dissent
Your personal information has a new home on the internet. Making it easy to research, in near real-time world news and personal information, The Social Archive (www.thesocialarchive.com), is rousing debate amongst data privacy and information professionals.
“We only archive publicly available information for the purpose of organizing it into a more consumable, usable form, freely available to the public.” says founder and operations manager Mendel Kurland. “We believe TSA is a valuable free resource on the internet and our growth in the past 6 months has really proven that people are interested in the information we provide.”
Debuting in early 2009, The Social Archive has grown considerably from 1,500 visitors per month to over 40,000. For the past 3 months, the site has paced close to 15% daily growth in traffic from all over the world with the majority of visitors coming from The United States, Brazil, Indonesia, Japan, China, Italy, and The United Kingdom.
TSA searches, spiders, and archives over 150 social media sites with an additional 200 of the most popular social networking sites, directories, and public records sites slated for archiving in Q2 of this year.
The Social Archive is privately held by World Life Networks, LLC an internet research and development company with offices in Iowa City, IA.
Source: PRWeb
The future of e-Discovery? Many hands make light work?
http://www.wired.com/wiredscience/2010/03/crowdsourcing-dida/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29
Pharma Watchdog Needs Your Help With Incriminating Documents
By Brandon Keim March 4, 2010 12:54 pm
Overwhelmed by thousands of documents describing the inner workings of pharmaceutical companies, the Drug Industry Document Archive wants to enlist the help of crowds.
Documents uncovered during lawsuits against drug companies could be made searchable to the public, just like documents from tobacco company lawsuits.
… Klausner envisions an internet army of students, journalists and concerned citizens helping, in much the same way as the Guardian newspaper invited the public to catalogue records of government-expense violations and the National Library of Australia enlisted crowds to correct errors made by automated scanners.
(Related) Interesting data for the e-Discovery team to analyze? Imaging gathering this data from hundreds of thousands of cars – with o way to automate the function! (Where is the NSA when we need them?) Would this discover many more instances of spontaneous acceleration?
http://tech.slashdot.org/story/10/03/05/0241241/Toyota-Black-Box-Data-Is-More-Closed-Than-Others?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
Toyota Black Box Data Is More Closed Than Others'
Posted by timothy on Friday March 05, @01:12AM
wjr writes
"Many cars these days contain black boxes that record information (speed, accelerator position, etc) and can preserve information in the case of an accident. Ford and Chrysler say that they use 'open systems' so anyone can read out the data; General Motors has licensed Bosch to produce a device capable of reading its cars' black boxes. On the other hand, Toyota has only a single laptop in the US capable of reading its cars' black boxes, and generally won't allow the data to be read without a court order. Honda seems to have a similar policy. This is emerging as an issue in the investigation into unintended acceleration."
For my Computer Security class. The difficulty in just keeping up!
http://tech.slashdot.org/story/10/03/04/2024212/Typical-Windows-User-Patches-Every-5-Days?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
Typical Windows User Patches Every 5 Days
Posted by timothy on Thursday March 04, @03:47PM
CWmike writes
"The typical home user running Windows faces the 'unreasonable' task of patching software an average of every five days, security research company Secunia said on Thursday. 'It's completely unreasonable to expect users to master so many different patch mechanisms and spend so much time patching,' said Thomas Kristensen, the company's CSO. The result: Few consumers devote the time and attention necessary to stay atop the patching job, which leaves them open to attack. Secunia says that of the users who ran the company's Personal Software Inspector in the last week of January, half had 66 or more programs from 22 or more different vendors on their machines. … Secunia has published a white paper (PDF) that details its findings."
[You can get the Personal Software Inspector free at: http://secunia.com/vulnerability_scanning/personal/
Remember, no certification, no incentive payments.
http://www.phiprivacy.net/?p=2148
ONC Issues Rule Proposing the Establishment of Certification Programs for Health IT
By Dissent, March 5, 2010 7:34 am
Sheel Pandya reports:
On Tuesday, the Office of the National Coordinator (ONC) for Health Information Technology (Health IT) within the U.S. Department of Health and Human Services (HHS) issued a proposed rule that establishes two voluntary certification programs to test and certify health IT. [Makes it sound like no one had ever considered controlling IT before. Bob] The National Coordinator for health IT is required by the American Recovery and Reinvestment Act of 2009 (link to: http://www.gpo.gov/fdsys/pkg/PLAW-111publ5/html/PLAW-111publ5.htm) (ARRA) to work with the Director of the National Institute of Standards and Technology to develop a program (or programs) for voluntary certification.
This proposed rule represents the third in an important set of coordinated rulemakings by HHS affecting health IT. Back in December 2009, HHS released two proposed regulations. The first, a proposed rule, describes how eligible professionals and eligible hospitals can qualify for incentive payments [Let us pay you to do what you were required by law to do anyway. Bob] under the Medicare and Medicaid programs through the meaningful use of certified electronic health record (EHR) technology. The second, an interim final rule, describes the standards, implementation specifications and certification criteria that EHR technology needs to meet for providers to receive incentive payments. HHS has invited the public to submit comments on both of these rules on or before March 15, 2010.
Read more on CDT.
Interesting.
http://mashable.com/2010/03/04/google-desktops-irrelevant/
Google: Desktops Will Be Irrelevant in Three Years’ Time
Trivial research?
http://www.wired.com/gadgetlab/2010/03/popular-science-puts-entire-scanned-archive-online-free/
Popular Science Puts Entire Scanned Archive Online, Free
By Charlie Sorrel March 4, 2010 8:08 am
… Oh, and did I mention it works great on an iPhone? Good luck getting any work done today.
Search the PopSci archives.
[I found a 1967 article on computers (GE time sharing) in the home! Bob]
For my Disaster Recovery class. Perhaps not all Cloud Computing is as well protected.
http://techcrunch.com/2010/03/04/google-apps-now-disaster-proof/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29
Google Apps Now Disaster Proof
by Leena Rao on Mar 4, 2010
… Google has made an announcement today for any enterprise users of Google Apps; assuring IT admins that the suite is now fully prepared for disaster recovery.
… Google’s secret sauce is live and synchronous replication. So every action you take in Gmail is immediately replicated in two data centers at once, so that if one data center fails, Google will transfer data over to the other one. Traditionally, Google says, synchronous replication can be very expensive for companies. For example, the cost to back up 25GB of data with synchronous replication can range from $150 to $500+ in storage and maintenance costs per employee. Google says that exact price depends on a number of factors such as the number of times the data is replicated and the choice of service provider. Of course, Google replicates all the data multiple times, and the 25GB per employee for Gmail is backed up for free. And data from Google Docs, Google Sites, Google Docs, Google Calendar, Google Talk and Google Video, which encompass most of the applications in Google Apps, is also synchronously replicated for free.
For me. And any students wishing for an “A”
http://www.makeuseof.com/dir/advertt-search-multiple-dictionaries
Advertt: Search Multiple Dictionaries At Once
… It is a simple web app that search multiple dictionaries including Wikipedia, YourDictionary, Dictionary.com, OneLook, TheFreeDictionary all at once. [It also points to related videos! Bob]
http://advertt.com/
[I also use: http://www.onelook.com/
Something for us teachers?
http://www.killerstartups.com/Web-App-Tools/owely-com-communicate-what-you-see-in-your-screen
Owely.com - Communicate What You See In Your Screen
http://www.owely.com/
Owely can be defined as a screenshot sharing tool that aims to let people simplify their online communication by showing others what they see on their screens, instead of having to write half a dissertation just to explain that something is where it should not be.
This is achieved by enabling users to draw with a marker tool, and also by letting them write text comments where they need them right on the screenshot. The whole process is reduced to three simple steps, then: capturing the screen, drawing with the marker (or adding comments) and dropping the link for your friend to check it out.