Saturday, September 18, 2010

Perhaps unconditional access to personal data is not the best idea? They could at least have encrypted the data...

http://www.databreaches.net/?p=13952

When your database of all staff is on a flash drive that goes missing…

September 17, 2010 by admin

On boy….

On September 9, Cooper University Hospital in New Jersey notified the New Hampshire Attorney General’s Office that a flash drive with a database of employees’ personal information was discovered missing on July 8, less than 24 hours after the database had been copied to the drive. The drive went missing from the Graduate Medical Education Office.

Anyone who was a Resident at Cooper University Hospital during academic year 2008/2009 and 2009/2010 or is currently a member of house staff is affected.

According to their letter, information on the employees included their names, personal email addresses, beeper numbers, Social Security Numbers, employee ID numbers, citizenship and visa information, undergraduate, graduate, and medical school identification number, United States Medical Licensing Examination (USMLE) number, Educational Commission for Foreign Medical Graduates (ECFMG) number, Step I/II scores, salary, address, telephone numbers, emergency contacts, marital status, spouse’s name, birth date and birth place, gender, race, forwarding address, home phone number, leave of absence information, license number, DEA number, CDS number, NPI number, and employer. For Visiting Residents, the information included their PA Training License Number. Not all individuals had all kinds of information in the database.

The loss was reported to the Camden Police Department and the State Police Cyber Crime Unit. The latter declined to investigate because the police department was already investigating



Hey, It's for the children!” How else could they acclimatize their users to accept Behavioral Advertising?

http://www.bespacific.com/mt/archives/025244.html

September 17, 2010

WSJ Investigates Extensive Web Tracking of Children Online

"A Wall Street Journal investigation into online privacy has found that popular children's websites install more tracking technologies on personal computers than do the top websites aimed at adults."

  • "Marketers are spying more on young Internet users than on their parents, building detailed profiles of their activities and interests. The Wall Street Journal’s What They Know series documents the new, cutting-edge uses of this Internet-tracking technology. The Journal analyzed the tracking files installed on people’s computers by 50 of the most popular U.S. websites for children and teenagers. The Journal also built an “exposure index” — to determine the degree to which each site exposes visitors to monitoring — by studying the tracking technologies they install and the privacy policies that guide their use."



Where do you cut off the process, at the start or just before you apply the results? Could they still sell the aggregated data and would that have a statistically significant variation from data that did not include “Opt-Outers? ”

http://www.pogowasright.org/?p=14250

Dear Google: Do Not Track Me

September 17, 2010 by Dissent

Emily Badger writes about the concept of an online Do Not Call List to block advertising. She quotes Chris Soghoian, who, as usual, nails it:

“The main issue with implementing such a mechanism — in addition to the technology issues — is this: If a consumer makes use of Do Not Track, whether it’s a list or something else, is that going to stop the consumer from being tracked?” asked Christopher Soghoian, a security and privacy researcher. “Or is it merely going to stop them from seeing ads based on the tracking that will continue to occur?”

Soghoian, who previously worked in the Federal Trade Commission’s Division of Privacy and Identity Protection, says a better option would be to embed Do Not Track into a browser header. But this would require browser vendors to help develop the technology that today opposes their own interests (most major browsers derive revenue from ad networks).

Read more on Miller-McCune.com



Another one to watch. Are they automatically blocking based on keywords or do they read and evaluate messages?

http://www.wired.com/threatlevel/2010/09/blocking-text-messages/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

T-Mobile Censoring Text Messages

A mobile-marketing company claimed Friday it would go out of business unless a federal judge orders T-Mobile to stop blocking its text-messaging service, the first case testing whether wireless providers can block text messages they don’t like.

EZ Texting claims T-Mobile blocked the company from sending text messages for all of its clients after learning that legalmarijuanadispensary.com, an EZ Texting client, was using its service to send texts about legal medical marijuana dispensaries in California. “T-Mobile subjectively did not approve of one of the thousands of lawful businesses and non-profits served by EZ Texting,” according to New York federal lawsuit.

The suit against T-Mobile, which controls about 15 percent of the U.S. mobile market, comes as the company just announced it was raising its texting prices, which some claim is an abuse of its market share. And the case comes amid a fierce debate surrounding net neutrality, with net giant Google claiming that wireless carriers should not be bound by the same rules as wireline carriers.

Even the New York-based texting service acknowledges that the case raises novel issues. “At the very least, EZ Texting has raised serious questions about the legal ability of a wireless service provider, T-Mobile, to block its customers from exchanging text messages with EZ Texting’s customers,” according to the suit.

A similar text-messaging flap occurred in 2007, but ended without litigation, when Verizon reversed itself and allowed an abortion-rights group to send text messages to its supporters.



http://www.wired.com/threatlevel/2010/09/intel-threatens-consumers/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Intel Threatens to Sue Anyone Who Uses HDCP Crack

Intel threatened legal action Friday against anybody who uses its proprietary crypto key — leaked on the internet — to produce hardware that defeats the so-called HDCP technology that limits home recording of digital television and Blu-ray.

“There are laws to protect both the intellectual property involved as well as the content that is created and owned by the content providers,” said Tom Waldrop, a spokesman for the company, which developed HDCP. “Should a circumvention device be created using this information, we and others would avail ourselves, as appropriate, of those remedies.”

Intel’s comments came as it confirmed that the internet leak of the “master key” to the High-Bandwidth Digital Content Protection system was authentic.


(Related) Dilbert summarizes the value of (IP) protection.

http://dilbert.com/strips/comic/2010-09-18/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+DilbertDailyStrip+%28Dilbert+Daily+Strip%29



Another “Ready, Fire, Aim” CEO.

http://news.cnet.com/8301-13579_3-20016818-37.html?part=rss&subj=news&tag=2547-1_3-0-20

Best Buy: iPad cutting into laptop sales

Best Buy CEO Brian Dunn told The Wall Street Journal on Tuesday that internal estimates showed the iPad had cannibalized sales from laptop PCs by as much as 50 percent.


(Related)

http://news.cnet.com/8301-31021_3-20016895-260.html?part=rss&subj=news&tag=2547-1_3-0-20

Best Buy retreats from iPad cannibalization claim

It turns out that Best Buy CEO Brian Dunn may have been exaggerating a bit when he said the iPad was cutting into notebook sales at Best Buy by "as much as 50 percent."

Dunn doesn't say the basic idea is not true--just that it was a "gross" exaggeration. And he doesn't offer a more updated or accurate rate of cannibalization that his company actually is seeing.



Important new study? “How to build a better hooker”

http://web.docuticker.com/go/docubase/35518

The Prostitute's Allure: Examining Returns to Beauty, Productivity and Discrimination

September 18, 2010 12:14

The Prostitute's Allure: Examining Returns to Beauty, Productivity and Discrimination (PDF)

Friday, September 17, 2010

“You know, now that we've had a breach the simple preventive measures are obvious...”

http://www.databreaches.net/?p=13931

Lost in transit, Thursday edition

September 16, 2010 by admin

Through its lawyers, Rhode Island-based Benefit Concepts, Inc. recently notified the New Hampshire Attorney General’s Office that a package containing employee payroll checks and a CD with copies of the payroll checks went missing.

According to the notification letter, their vendor, CompuPay, had sent the package on July 19 via FedEx and it should have been delivered on July 20. FedEx believes that the shipment went missing at its Warwick, Rhode Island facility. Employees were not notified of the loss until September 3. [One must assume that the checks were replaced in time to meet the payroll? Bob]

The payroll checks contained the employees’ first and last names, Social Security Numbers, and bank account numbers. To prevent future problems, the company has asked CompuPay to mask SSN and encrypt the accompanying CD.



The profits from “Behavioral Advertising” seem to encourage this type of activity.

http://www.wired.com/threatlevel/2010/09/html5-safari-exploit/

Lawsuit Targets Mobile Advertiser Over Sneaky HTML5 Pseudo-Cookies

A New York mobile-web advertising company was hit Wednesday with a proposed class action lawsuit over its use of an HTML5 trick to track iPhone and iPad users across a number of websites, in what is believed to be the first privacy lawsuit of its kind in the mobile space.

The company, Ringleader Digital, uses HTML5’s client-side database-storage capability as a substitute for the traditional cookie tracking employed by all major online ad companies. Mobile Safari users visiting sites with Ringleader ads are assigned a unique ID number which is stored by the browser, and recalled by Ringleader whenever they revisit.

But the tracker, labeled RLDGUID, does not go away when one clears cookies from the browser. Our sister site Ars Technica reported last week that users savvy enough to find and delete the database have found it returning mysteriously with the same ID number as before — a result the lawyers suing Ringleader say they’ve reproduced.

The lawsuit lodged Wednesday in Los Angeles federal court also names as defendants a number of companies who’d allegedly been serving the Ringleader trackers on the mobile versions of their sites: Surfline, WhitePages.com, The Travel Channel, CNN Money, Go2 and Merriam-Webster’s dictionary site.



“Hello. How are you?” doesn't translate well to modern technology.

http://www.phiprivacy.net/?p=3739

HOW many patient privacy breaches per month?

As regular readers know, I tend to avoid blogging about commercial products and am leery about reporting results from studies that might be self-serving, but a new paper from FairWarning has some data that I think are worth mentioning here. In their report, they provide some baseline data on how many patient privacy breaches their clients were experiencing each month.

… Although no detailed statistics are provided, the report also provides a summary on the types of patient privacy breaches most likely to occur for different types of localities.

… The company uses case examples with timelines to make the following points:

1. Simply informing your employees that you have implemented a monitoring program to detect privacy breaches can decrease patient privacy breaches significantly (on the order of 36% in one large metropolitan multi-hospital system and 60% in a rural hospital with remote clinics).

2. Telling employees that they are being monitored is not sufficient. Staff training (and re-training when new employees are hired) is also required to achieve desired results as is consistent and appropriate sanctions. The company notes that they observed spikes in privacy breaches whenever new staff was hired, suggesting to me that entities need to do (and probably could do) a do better job of initial training of new hires before they get access to patient information, including informing them that they will be monitored and informing them of possible dire consequences to their employment should they violate privacy policies.

3. A high-profile patient privacy breach that escalates into a Compliance Review and into a three year Resolution Agreement can cost between $8 to $17 million. The breakdown of costs they provide and the rationale could be useful for IT personnel who are pulling their hair out trying to get their employer to invest more in security and monitoring. Although I’m not qualified to evaluate whether their estimates are likely to be overestimates or not, I noted that the least of the costs — by a long shot — is notifying patients and offering them credit protection.



Another stalking/comm-tapping tool. Direct Messages are for “Private” communications – but they did nothing to ensure Privacy.

http://www.pogowasright.org/?p=14173

Latest Twitter concern: apps accessing DMs

September 16, 2010 by Dissent

A blog entry by Mike Chapman on devblog by oneforty. is causing quite a stir on Twitter. Mike writes that

Currently Twitter application developers are given 2 choices when registering their apps – they can either request “read-only access” or “read & write” access. For Twitter “read & write” means being able to do anything through the API on a user’s behalf. These course-grained levels push most apps to choose “read & write”, in case they want to tweet on the user’s behalf, or make it simple to follow a Twitter account. Anecdotally, of the 130 apps & Twitter-integrated websites I’ve approved 91% have full read & write access to my Twitter account, with the other 9% having read-only access.

Of particular concern to many, he also writes:

In reality any app you have granted access can read all of your DMs. As an example, if you can get Michael Arrington (@arrington) to try your site and use Twitter OAuth you can now read all of his DMs. That might be tempting to an unethical few. And the challenge to Mr Arrington would be to even know that they were read without his permission. Twitter would have the logs of the API calls, but how would he know it happened? Or which app to revoke if he suspected it?

Read more on devblog by oneforty.

[About Direct Messages:

http://support.twitter.com/groups/31-twitter-basics/topics/109-tweets-messages/articles/14606-what-is-a-direct-message-dm


(Related) Other concerns.

http://gigaom.com/2010/09/16/remember-that-dm-on-twitter-so-do-your-apps/

Remember That DM on Twitter? So Do Your Apps

Spam and hackers. If you authorize full read-write access to a malicious app, or someone gets hold of your “token” that gives an app permission, they could send malicious links through your account, or even delete all your messages.

Pushy apps. This would include services that auto-publish to Twitter without asking you, or without making it obvious that they are going to do so, such as Twifficiency, which recently caused some backlash by auto-tweeting on a user’s account when they signed up for the service.



“Need to automatically create an alibi? There's an App for that!”

http://www.pogowasright.org/?p=14167

The “I was on MySpace” Alibi

September 16, 2010 by Dissent

From Bow Tie’s Law Blog:

In an unplublished criminal appeal over a jury instruction that the Defendant failed to explain or deny evidence, the Appellant-Defendant claimed as his alibi that he was playing poker on MySpace at the time of the crime.

The Prosecutor claimed the “MySpace Alibi” was implausible or bizarre. People v. Calderon, 2010 Cal. App. Unpub. LEXIS 7172, at *5-6 (Cal. App. 2d Dist. Sept. 9, 2010).

The Court of Appeals disagreed, finding the alibi was neither implausible or bizarre. Calderon, at *6.

[...]

There is a courtroom drama waiting to erupt in a brutal cross-examination over whether someone was on Facebook on their iPhone or at home when the “Social Media” alibi is next offered.

Read more about the case and what might happen in the future when a social media is offered on Bow Tie’s Law Blog.

I expect that some will use this to tell us how data retention and logs are our friends… [Guilty! Bob]

[From the article:

The MySpace records showed that someone was logged into the Appellant-Defendant’s account at the time of the crime. The Appellant-Defendant claimed he did not share his account information with anyone.

… Now for the big “however”: The Court of Appeals found there was no “ reasonable probability that appellant would have received a more favorable verdict if the instruction had not been given.” Calderon, at *6.

… The second big “however”: The MySpace Alibi was not compelling. The Court noted that anyone could have logged into MySpace for the Defendant or he could have logged in from another location. Calderon, at *7.



“Dis is why dem lawyers learns dem big woids!”

http://news.cnet.com/8301-17852_3-20016759-71.html?part=rss&subj=news&tag=2547-1_3-0-20

Juror's imprudent iPhone search causes mistrial

… It seems that there was a case in Florida featuring a man in his 60s who allegedly shot a 19-year-old.

… the shooter was indicted for murder and convicted of manslaughter. However, one important conjecture--both at jury instructions and during closing argument--gravitated around whether the elder gentleman's actions were "prudent."

It seems that the jury foreperson was not entirely sure of prudence's definition. So he whipped out his iPhone and ascertained that prudence was all about acting as reasonably as the common person you see on a bus. I paraphrase.

I should note that the foreperson didn't perform his search in the jury room. Rather, he tried to remember the definition and then shared it with many of his fellow jurors.

The court at the time found that, though his donning a Zuckerbergian cloak and sharing compounded his misconduct, it wasn't enough to warrant a mistrial.

There is one painful snag with this story. Dictionaries are not allowed in jury rooms.

So the Court of Appeal of Florida felt it had no choice but to disagree with the trial court and order new proceedings in the case. The Court of Appeal declared: "We cannot say that the intrusion of the definition of "prudent" into the jury deliberations did not affect the jury verdict."



Perhaps this is why so many Universities are offering some type of “Gaming” degree...

http://www.theatlantic.com/business/archive/2010/09/halo-reach-makes-more-money-on-day-1-than-any-movie-ever/63135/

Halo: Reach Makes More Money on Day 1 Than Any Movie, Ever

Thursday, September 16, 2010

So it wasn't “several” restaurants. What else have they got wrong? Why so long to figure out what was happening?

http://www.databreaches.net/?p=13894

Update: Roseville credit-card fraud traced to one restaurant

September 15, 2010 by admin

Bill Lindelof reports:

Hundreds of local cases in which thieves have collected credit-card numbers and used them to fraudulently make purchases have been traced to customers who frequented one Roseville restaurant, police said today.

Roseville police said that hundreds of credit-card numbers were compromised at Paul Martin’s American Bistro.

Read more on the Sacramento Bee.

It seems that law enforcement is walking back on their previous statement that they believed that the breach was not at the restaurant itself (see this earlier blog entry).

[From the article:

… The cyber criminals who perpetrated the fraudulent credit-card activity are not known and could be operating anywhere in the world, police said.

The crooks were able to access the restaurant's credit-card processing system and steal credit-card numbers, which were then sold to other criminals and used to make purchases, police said.

… The earliest of the cases under investigation appears to date back to March, said Dee Dee Gunther, police spokeswoman, said last week.



Should I have my Computer Security students design security for the school and should my Ethical Hackers try to break it?

http://www.databreaches.net/?p=13891

Are colleges and universities at greater risk of data breaches?

September 15, 2010 by admin

John Cox discusses the recent report by Application Security, mentioned previously on this site.

A database security vendor says colleges and universities need to do more to secure their databases against break-ins.

Application Security, which uses the name AppSec, reviewed data breaches in higher education, drawing from a variety of published sources. The company, based in New York City, specializes in database security and has two main products: DbProtect, an application for database security, risk and compliance; and AppDetectivePro, which automatically discovers all database applications on a company’s network and evaluates their security.

The data in its report, “An Examination of Data Breaches at Higher Education Institutions,” highlights increasing data-loss incidents at colleges and universities. But it doesn’t clearly distinguish between the business market as a whole and the higher education sub-market, and it does little to put the higher education breaches into context.

Cox offers a number of other criticisms of the report. You can read it all on NetworkWorld.

In the meantime, while folks analyze breaches at the uni level, I’ve seen almost nothing on breaches at the k-12 level. School districts compile a tremendous amount of sensitive information on both students and their families, and I would guess that there have been many many breaches but we just don’t know about them. Even scarier: do the districts even know that they’ve been breached?



No surprise. Each technology added must go through the same learning curve, no matter how similar to earlier technologies.

http://www.phiprivacy.net/?p=3746

Could Chat Transcripts Be Security Minefields?

By Dissent, September 15, 2010

I usually link to Evan Schuman’s wonderful articles from databreaches.net, but one of this article is particularly relevant to this site. Evan writes:

When Rite-Aid and Walgreens both announced pharmacist chat programs last month, they were the latest chains to try and use chat to get closer to their customers. But, ironically, the preservation of chat discussions of super-sensitive patient medical history may prove a very serious threat to security.

It’s ironic because both chains are taking substantial steps to secure the access to confidential patient data, but neither is specifying steps to protect transcripts of that very same data. Imagine forcing call center employees to comply with all PCI rules regarding not preserving prohibited payment card data and then allowing them to write down all of that data in plain-text files that are then transmitted to consumers (who are unlikely to protect them) and saved in the chain’s files.

Read more on StorefrontBacktalk.



This can't be important. Stealing logins is so easy, even a caveman can do it.

http://www.databreaches.net/?p=13871

Large collection of stolen logins go public

September 15, 2010 by admin

Christopher Boyd blogs:

Below is a rather bland FarmVille phish that was brought to my attention by a friend who had it posted to their Facebook account. The entire page is blank save for the fake login.

[...]

Nothing spectacular, I’m sure you’ll agree. However, we did a little digging around on the same URL and came across a large collection what the site claims are stolen Facebook logins dating from July right up to today.

Read more on SunbeltBlog. Note that in a comment, it says that this has been reported to Facebook and all those affected are having their passwords reset. Of course, in light of the new malware going around with the subject line that “Your Facebook Password has been reset,” this could be a recipe for more problems.



Today seems like “Bash Facebook” day. Or perhaps that's an everyday thing now...

http://it.slashdot.org/story/10/09/15/2027240/Facebook-the-Most-Dangerous-Social-Tool-For-Businesses?from=rss

Facebook the Most Dangerous Social Tool For Businesses

Posted by samzenpus on Wednesday September 15, @05:32PM

"According to a recent study Facebook is by far the most popular and most dangerous social media tool among small-to-medium-sized businesses, with 69 percent of respondents reporting that they have active accounts with this site, followed by Twitter, YouTube, and LinkedIn. Facebook is also the top culprit for malware infections and privacy violations, e.g. the leaking of sensitive company information. YouTube took the second spot for malware infection, while Twitter contributed to a significant number of privacy violations. For companies suffering financial losses from employee privacy violations, Facebook was again cited as the most common social media site where these losses occurred, followed by Twitter, YouTube, and LinkedIn."


(Related) Another “Privacy enhancement” for Facebook?

http://www.pogowasright.org/?p=14133

Bing could get access to anonymized Facebook data

September 15, 2010 by Dissent

Emil Protalinski writes:

Microsoft and Facebook are in talks to further strengthen their search partnership, possibly resulting in Bing gaining access to anonymized data generated by Facebook users to better personalize its search results, [Why do I find “anonymous personalization” an oxymoron? Bob] according to anonymous sources cited by All Things Digital. Microsoft would be able to use the information from Facebook’s Like buttons, which the social giant has managed to have plastered all over the Web.

When a user likes a webpage, their Facebook friends are notified; if this deal goes through, Microsoft would also be able to know which webpages users are appreciating, and would be able to work that into Bing’s algorithms (it could be particularly useful for Bing News), instead of just relying on spiders scouring the Internet. With Facebook’s 500 million users, such a deal could give it quite a boost over Google, which presumably would be excluded from the data. The sources did point out an important hurdle though: because of Facebook’s many privacy issues, the possible expansion of the search relationship would only be able to encompass information which users have already agreed to make public.

Read more on Ars Technica.


(Related) Perhaps they'll add a “Like” button for the ambulance that comes to cut you out of your car?

http://www.wired.com/autopia/2010/09/general-motors-boosts-onstar-to-challenge-sync/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

General Motors Boosts OnStar to Challenge Sync

After watching Ford dominate the in-car connectivity market with Sync, General Motors is fighting back with a slew of new features for OnStar in a push it calls “responsible connectivity.”

OnStar will roll out a long list of improvements, including Pandora online radio, Stitcher podcasts and wi-fi. Down the road, we could see voice-activated Facebook, texting and iPod control so you can stay connected while keeping your hands firmly planted at 10 and 2.


(Related) “All your plates belong to us” Maybe they don't have all the data from DMVs around the country, but it will be interesting to see if drivers with “road rage” will follow the email trail to Facebook, then get your address, then show up at your front door to “discuss” your driving skills.

http://www.pogowasright.org/?p=14120

Bump.com: “Like putting a cookie on a car”

September 15, 2010 by Dissent

Tom Simonite reports:

Next time you’re stuck in traffic, take a look at the license plates on the cars around you. To a user of bump.com–which launches today–each one is like an email address that can be used to contact the owner, whether to tell them a rear light is out or that you like their bumper sticker.

“To send a message you just need to specify state and plate,” Bump’s VP of technology John Albers-Mead told me at the DEMO conference in Santa Clara, California, where the La Jolla, California, firm will launch this afternoon.

[...]

“It allows us to track users, it’s like putting a cookie on a car,” says Albers-Mead, likening his technology to the small files used to track web users and offer functionality like autologins online. Once connected up to Bump’s tech, a camera at a store or drive-in burger joint could, for example, showing menu choices similar to those you’ve selected before. That extra data could be valuable to store owners, Bump say, who could also make use of the messaging functions.

Read more on Technology Review.

[From the article:

Anyone that has registered their license plate can pick up those messages while an upcoming smartphone app--initially for iPhone but later Android too--will use image recognition to make sending messages easier. When using it you simply snap a photo of a license plate after which it is processed in the cloud to direct your message appropriately. Initially you have to specify a plate to contact manually, or using an automated call-in service.

… But the firm also says that being able to recognize license plates and message a car's owner could has the potential to be of serious interest to businesses.



“If we build it, they will come – and find many ways to misuse it!”

http://mobile.slashdot.org/story/10/09/16/0016223/Intel-CTO-Says-Future-Phones-Will-Sense-Your-Mood?from=rss

Intel CTO Says Future Phones Will Sense Your Mood

Posted by samzenpus on Wednesday September 15, @10:03PM

"Ultra-smartphones that react to your moods and televisions that can tell it's you who's watching are in your future as Intel Corp's top technology guru sets his sights on context-aware computing. Chief technology officer Justin Rattner stuffed sensors down his socks at the annual Intel Develop Forum in San Francisco on Wednesday to demonstrate how personal devices will one day offer advice that goes way beyond local restaurants and new songs to download. 'How can we change the relationship so we think of these devices not as devices but as assistants or even companions?' he asked." [Or perhaps stalkers and harassers? Bob]



I summarize...

http://www.echannelline.com/usa/story.cfm?item=26136

12 reasons why we're losing the identity theft battle (and why you should care)

1. Zero Liability has made consumers feel they have nothing to lose.

2. Law enforcement lack resources to handle id theft cases.

3. Consumers think we're winning the battle.

4. Organized crime gave cybercrime and identity theft a whole new lease of life.

5. Financial institutions need to talk to their customers about identity theft.

6. The small business community is still ignoring their security responsibilities.

7. Thieves are emboldened because they know they're unlikely to be caught.

8. Consumers are still not protecting their computers or changing their habits.

9. Check verification still has too many loopholes.

10. Many banks are not using all the authentication and verification options available because they think more security challenges will annoy customers.

11. Consumers are giving away too much personal information on social networking.

12. Businesses and consumers are becoming indifferent to data breaches.



...because students got no rights!

http://www.pogowasright.org/?p=14131

ACLU-PA settles cell phone search suit against school district

September 15, 2010 by Dissent

The American Civil Liberties Union of Pennsylvania announced today that it has settled a lawsuit filed in May alleging that the Tunkhannock Area School District (Wyoming County) illegally searched a student’s cell phone, punished her for storing semi-nude pictures of herself on the device, and then referred her case for criminal prosecution to the district attorney’s office. Under the settlement, the school district denied any liability or wrongdoing but agreed to pay the student and her lawyers $33,000 to resolve the dispute. The student’s claims against the District Attorney’s Office were not settled and will proceed through litigation.

The case began in January 2009 when a teacher confiscated the cell phone of N.N., a 17-year-old senior, for using the phone after homeroom began, a violation of school policy. Later that morning, the principal informed N.N. that he had found “explicit” photos stored on her cell phone, which he turned over to law enforcement. He then gave her a three day out-of-school suspension, which she served.

The photographs, which were not visible on the screen and required multiple steps to locate, were taken on the device’s built-in camera and were never circulated to other students in the school. N.N. appeared fully covered in most of the photographs, although several showed her naked breasts and one indistinct image showed her standing upright while fully naked. The photographs were intended to be seen only by N.N.’s long-time boyfriend and herself.

The ACLU-PA hoped to use this case to help alert school officials across Pennsylvania to students’ privacy rights in their cell phones. Very little case law exists discussing student-cell-phone searches. While the settlement forecloses a court ruling, the case has led the ACLU-PA to contact the Pennsylvania School Boards Association (PSBA), which this week agreed to work with the ACLU towards crafting guidelines for teachers and school officials to help them better handle situations involving student cell phones and other electronic devices without unlawfully invading student privacy. Walczak noted that the goal was to prevent future violations of students’ constitutional rights.

The lawsuit, filed in the U.S. District Court for the Middle District of Pennsylvania, will continue against former DA George Skumanick, who threatened to prosecute N.N.; Police Detective David Ide, who investigated and viewed the images; and Jeff Mitchell, the current Wyoming County District Attorney.

N.N. is represented by Walczak and Valerie Burch from the ACLU of Pennsylvania. The case is N.N. v. Tunkhannock Area School District et al., 10-cv-01080-ARC.

Source: ACLU of PA.

Related: Complaint (pdf)



How to avoid surveillance? Could they claim the camera was installed by a peeping tom?

http://www.newsandstar.co.uk/news/carlisle-man-destroyed-cctv-camera-spying-on-his-home-1.758045?referrerPath=home

Carlisle man destroyed CCTV camera spying on his home

A man who objected to a CCTV camera keeping watch on his bedroom window from the house opposite appeared before a judge – for stealing the camera and throwing it in a river.

The camera had been installed in the empty house opposite Christian Lord’s home in Welsh Road, Harraby, Carlisle.

He and his girlfriend didn’t like the 24-hour monitoring of their movements, so he broke in and removed it.

Prosecuting counsel Jonathan Dickinson told the court it was unclear who had installed the camera, or why, although it was thought Lord’s landlords – a housing association – were responsible.

“There is no dispute that the CCTV looked out solely upon the property occupied by Mr Lord and his girlfriend,” he said.

… “He was not aware of its purpose, but he was very concerned about where it was pointing. It appeared to be pointing at his front bedroom.”



For certain values of “Best?”

http://www.bespacific.com/mt/archives/025222.html

September 15, 2010

US News: Best Lawyers, Best Law Firms 2010

"U.S. News and Best Lawyers, the leading survey of lawyers worldwide, have joined to rank nearly 9,000 firms in 81 practice areas in 171 metropolitan areas and 7 states.



What a concept! Dilbert has inspired me to go back through my blog and put all my comments into book form! Oh, wait...

http://dilbert.com/strips/comic/2010-09-16/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+DilbertDailyStrip+%28Dilbert+Daily+Strip%29

Wednesday, September 15, 2010

As datasets grow larger and more closely integrated, what is the electronic equivalent of “in plain sight?”

http://www.pogowasright.org/?p=14038

EFF: Revised Opinion in Privacy Case Blurs Clear Limits to Digital Search and Seizure

September 15, 2010 by Dissent

Lee Tien of EFF comments on the recent Ninth Circuit revised opinion in United States v. Comprehensive Drug Testing (the BALCO decision). The general public will remember the case as the one in which the government swooped in and grabbed everything that wasn’t nailed done in searching for evidence that 10 major league baseball players had used steroids. Many other players, who were not named as targets of the investigation, found their drug testing records in the hands of the government who then viewed everything as being in “plain view” and usable. In response, the courts had criticized the government for misrepresenting risks to judges and over-reaching, and had established procedures for searching and seizing digital evidence that might be aggregated with other data. In doing so, the court had established new Ninth Circuit guidelines going forward that updated and replaced its current standards established in the pre-digital age in the Tamara decision.

Lee writes, in part:

The Ninth Circuit had in its earlier en banc decision [579 F.3d 989 (9th Cir. 2009)] set forth guidelines meant to ensure that even otherwise lawful warrants authorizing the search and seizure of computers do not give officers too much access to private data that might be intermingled with evidence of a crime: (1) the government must waive the “plain view” rule, meaning it must agree to only use evidence of the crime or crimes that led to obtaining the warrant, and not to use evidence of other crimes; (2) the government must wall off the forensic experts who search the hard drive from the agents investigating the case; (3) the government must explain the “actual risks of destruction of information” they would face if they weren’t allowed to seize entire computers; (4) the government must use a search protocol to designate what information they can give to the investigating agents; and (5) the government must destroy or return non-responsive data.

The government, however, challenged these guidelines by seeking “super” en banc rehearing by the full Ninth Circuit (in the Ninth Circuit, ordinary en banc review is done by a panel of 11 judges).

Sadly, while yesterday’s decision reached the same, correct result in this case and denied super en banc rehearing, the revised majority opinion now omits the privacy-protective guidelines. Instead, those guidelines are now part of a 5-judge concurrence and are not binding on magistrate judges issuing warrants.

We’re disappointed. True, the Ninth Circuit recognized that government agents have “a powerful incentive . . . to seize more rather than less” (the opinion archly characterizes the government’s view as “Let’s take everything back to the lab, have a good look around and see what we might stumble upon.”). And eliminating the guidelines might avoid Supreme Court review.

Still, if the Ninth Circuit wanted “to avoid turning a limited search for particular information into a general search of office file systems and computer databases,” it would have been far better off with its original, binding rules.

Many civil libertarians are understandably upset by the revised opinion for walking back the guidelines. Slapping the government on the wrist or ripping into them in an opinion isn’t the same as establishing binding guidelines or rules for how we demand the government conduct itself. When the court had the opportunity to re-assert Fourth Amendment principles and apply them to a digital world, they ceded to government pressure. What will stop the government the next time, then?



Another interesting topic for debate...

http://www.pogowasright.org/?p=14059

Article: The Number is Me: Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable Information



Not bad enough they give you a ticket, now they snap on the rubber gloves and ask you to bend over?

http://www.pogowasright.org/?p=14004

California: Meter Maids to Search Motorists For Documentation

September 14, 2010 by Dissent

Meter maids employed by a for-profit, foreign company are confronting motorists and seizing disabled parking permits at the direction of the city of West Hollywood, California. Earlier this month, officials announced a “crack down” on the abuse of restricted-use parking spaces by having meter maids determine whether the users of disabled parking permits are legitimately handicapped.

“Under a program initiated by the city of West Hollywood’s Parking Division, drivers displaying disabled placards may be randomly approached to provide proof of placard ownership,” a city press release explained. “Failure to provide the required identification card will result in the confiscation of the disabled placard and a parking citation for misuse, which carries a $500 fine.”

Read more on theNewspaper.com.

So now we have employees of a foreign company demanding “Papers, Please” from our own citizens? Seriously, folks?



Interesting video

http://www.pogowasright.org/?p=14006

Cops on Camera (video)

September 14, 2010 by Dissent

Cato Institute has uploaded a really good video about video and audiotaping law enforcement in the performance of their duties:



No different than fingerprints? Is DNA treated like fingerprints?

http://www.pogowasright.org/?p=14030

9th Circuit rules DNA testing can be required before release on bail

September 14, 2010 by Dissent

Denny Walsh writes:

In the first decision of its kind in the nation, an appellate court has ruled in a Sacramento case that DNA testing is a legitimate condition of release on bail for a federal defendant not yet convicted.

Before a federal felony can be charged, there must be probable cause to believe a crime has been committed, a three-judge panel of the 9th U. S. Circuit Court of Appeals noted in Tuesday’s 47-page opinion.

Under those circumstances, the panel ruled, the government’s interest in definitively identifying the defendant “outweighs the defendant’s privacy interest in giving a DNA sample as a condition of pre-trial release.”

Read more on SacBee.com.

Related: Opinion (pdf)



Getting to a “No means no” world.

http://www.pogowasright.org/?p=13991

Recent Lawsuits Challenge Use of Flash Cookies to Track Online Behavior

September 14, 2010 by Dissent

Robert D. Forbes writes:

Four recent lawsuits filed against some of the Web’s biggest media companies challenge the alleged use of Flash cookies capable of circumventing a user’s ability to prevent the tracking of online behavior.

The four complaints (available here, here, here, and here) center around the defendants’ alleged tracking of consumers’ online behavior through the use of cookies installed through Adobe’s Flash video player, the Web’s most popular online video program. Each of the complaints seeks class action status.

Named as defendants are Clearspring Technologies, Inc., Quantcast Corporation, and Specific Media, Inc., three of the leading companies involved in targeted online advertising. Also named are numerous media companies that have allegedly used these companies’ technologies on their Web sites.

Read more on Proskauer.



If you don't consider the reaction of the people you 'govern,' they will certainly point out your error.

http://www.pogowasright.org/?p=14001

NY: Town Stops Using Google Earth To Spot Illegal Pools

September 14, 2010 by Dissent

The town of Riverhead on Long Island voted last week to stop using Google Earth satellite images to find homeowners who do not have permits for their backyard pools. The town had actually been using the eye in the sky approach for over a year, but after media coverage of it last month, they got a lot of negative feedback — mostly from people who didn’t have permits. Read more on NPR.

Via @adamshostack



For my Data Mining and Data Analytics students.

http://it.slashdot.org/story/10/09/14/1755235/The-Big-Promise-of-Big-Data?from=rss

The Big Promise of 'Big Data'

Posted by CmdrTaco on Tuesday September 14, @02:35PM

"InfoWorld's Frank Ohlhorst discusses how virtualization, commodity hardware, and 'Big Data' tools like Hadoop are enabling IT organizations to mine vast volumes of corporate and external data — a trend fueled increasingly by companies' desire to finally unlock critical insights from thus far largely untapped data stores. 'As costs fall and companies think of new ways to correlate data, Big Data analytics will become more commonplace, perhaps providing the growth mechanism for a small company to become a large one. Consider that Google, Yahoo, and Facebook were all once small companies that leveraged their data and understanding of the relationships in that data to grow significantly. It's no accident that many of the underpinnings of Big Data came from the methods these very businesses developed. But today, these methods are widely available through Hadoop and other tools for enterprises such as yours.'"

[From the article:

The New York Times has used Big Data tools for text analysis and Web mining, while Disney uses them to correlate and understand customer behavior across its stores, theme parks, and Web properties.

Big Data plays another role in today's businesses: Large organizations increasingly face the need to maintain massive amounts of structured and unstructured data -- from transaction information in data warehouses to employee tweets, from supplier records to regulatory filings -- to comply with government regulations. That need has been driven even more by recent court cases that have encouraged companies to keep large quantities of documents, email messages, and other electronic communications such as instant messaging and IP telephony that may be required for e-discovery if they face litigation.



If this doesn't point to a business opportunity, I don't know what does...

http://news.slashdot.org/story/10/09/14/1516238/Why-Broadband-Prices-Havent-Decreased?from=rss

Why Broadband Prices Haven't Decreased

Posted by CmdrTaco on Tuesday September 14, @11:45AM

"After a new technology is introduced to the market, there is usually a predictable decrease in price as it becomes more common. Laptops experienced precipitous price drops during the past decade. Digital cameras, personal computers, and computer chips all followed similar steep declines in price. Has the price of broadband Internet followed the same model? Shane Greenstein decided to look into it. "

[From the article:

Greenstein says that a 2003 decision to leave regulation up to the broadband companies themselves has caused much of the stagnation in broadband service prices.

… “So if you were in such a market as a supplier, why would you initiate a price war?” Greenstein asks. With no new entries on the market, suppliers can compete by slowly increasing quality but keeping prices the same.



Interesting tech. From the photo, the scanner is much smaller than the card itself.

http://news.cnet.com/8301-27076_3-20016438-248.html?part=rss&subj=news&tag=2547-1_3-0-20

Square producing 10,000 card readers a day

Twitter co-founder Jack Dorsey's latest project, Square, which plugs into mobile devices and allows users to process payments, is getting bigger.

During an interview with VentureBeat's founder Matt Marshall as part of this year's Demo Fall conference here, Dorsey explained that the company was now producing some 10,000 scanner units a day, which allow Square users with a smartphone and the Square software (which is free) to run credit card payments from just about anywhere.



Supply and Demand in the technology field.

http://techcrunch.com/2010/09/15/google-fights-back-in-battle-for-talent-but-may-be-creating-a-worse-problem-for-itself/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Google Fights Back In Battle For Talent, But May Be Creating A Worse Problem For Itself

Earlier this month I wrote about the extraordinary steps Google is taking to retain talent.

… What’s Google offering? An immediate response for starters. They have put policies in place to ensure that an employee gets a response within 24 hours, we’ve confirmed from sources close to Google. Raises of 15% – 20% aren’t uncommon, as are new restricted stock grants ranging up to $500,000 in value. Employees are also often offered a different job, a move into a managerial role, etc.



Dilbert continues to examine “Social Media”

http://dilbert.com/strips/comic/2010-09-15/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+DilbertDailyStrip+%28Dilbert+Daily+Strip%29


(Related) Some statistics...

http://techcrunch.com/2010/09/14/twitter-seeing-90-million-tweets-per-day/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Twitter Seeing 90 Million Tweets Per Day, 25 Percent Contain Links

… Williams also said that since the beginning of the year Twitter users on mobile devices are up 250%, with 16% of new users starting to use the service on mobile devices. And there are on average 370,000 new sign-ups per day overall.

Tuesday, September 14, 2010

Identity theft made tangible? What (probably simple) procedure would have prevented this?

http://news.slashdot.org/story/10/09/14/0144207/Criminals-Steal-House-Thanks-To-Hacked-Email?from=rss

Criminals Steal House Thanks To Hacked Email

Posted by Soulskill on Tuesday September 14, @02:20AM

"An international cybercrime investigation is underway into a sophisticated scam network that used email and fax to sell an Australian man's AU$500,000 property without his knowledge. The man was overseas when the Nigerian-based scammers stole his credentials and amazingly sold two houses through his real estate agent. He rushed home and prevented the sale of his second home from being finalized. Australian Federal Police and overseas law enforcement agencies will investigate the complex scam, which is considered the first of its kind in Australia. It is alleged scammers had stolen the man's email account and personal and property documents to sell the houses and funnel cash into Chinese bank accounts. Investigating agencies admit the scammers hoodwinked both the selling agents and the government, and said they had enough information to satisfy regulatory requirements. The police did not rule out if the scammers had links to the man."



Perhaps another Heartland style breach?

http://www.databreaches.net/?p=13834

CA: Hackers Target Roseville Eateries For Credit Card Information

September 14, 2010 by admin

The hospitality sector continues to be targeted by cybercriminals. KCRA reports:

Roseville police are warning people eating out in Roseville to avoid using their debit cards and to pay with cash or use credit cards. [Or perhaps use the “barter system?” Bob]

The warning is in response to a recent rash of credit card thefts connected to a multitude of Roseville eateries.

Police said hackers have stolen well over 200 people’s information after they ate out.

They won’t say which restaurants have been affected [Just avoid them all? Bob] due to the ongoing investigation. However, police have said the restaurants themselves are not responsible.

We believe the breach is not actually at the restaurant but a third party vendor that’s in the process between using your credit card at the restaurant and actually billing the bank,” said Capt. Stefan Moore.

Moore said the scheme is so complex and expansive they’ve asked the secret service for help catching the culprits.

Meanwhile, in Davis, police are dealing with similar problems. They’ve seen a 50 percent increase in identity thefts.

Read more on KCRA. It sounds like local law enforcement suspect a payment processor breach. As I reported last month, there were buzzes about an uptick in breaches involving the hospitality sector and California had been specifically mentioned.

Stay tuned….



Boy, I can't wait until this type of information is available in a nation-wide Health Care database...

http://www.databreaches.net/?p=13831

CA: ID thief hits state coffers for $200,000

September 14, 2010 by admin

Julie Johnson reports:

A mobile blood-testing company is believed to be the source of 500,000 California identities used to create fake drivers licenses and checks, investigators said.

A Castro Valley man is at the center of what detectives called a “huge” scheme in which stolen identities were used to create fraudulent unemployment and in-home health support checks that were cashed in Safeway stores across northern California, including Sonoma County.

[...]

“The one thing (the victims) had in common is they all had blood work done for insurance purposes,” Chapman said.

The company, not named by investigators, sent clinicians to people’s homes to take blood samples for purposes such as acquiring life insurance, Chapman said. The source of the leak is still being investigated.

Read more in The Press Democrat.



An interesting “discussion” to say the least.

http://www.pogowasright.org/?p=13937

Pointer: 10 Brief Responses To 700 Comments About Refusing To Answer Questions At Passport Control

September 13, 2010 by Dissent

Paul Karl Lukacs responds to comments made in response to his earlier blog entry on his experience when he attempted to re-enter the U.S. and wouldn’t answer questions from passport control as to why he had traveled outside the country.



Sometimes I just laugh...

http://e-discoveryteam.com/2010/09/12/victor-stanley-2-judge-grimm-imposes-prison-sanction-for-spoliation-by-a-defendant-reminiscent-of-the-leader-of-the-gang-that-couldnt-shoot-straight/

Victor Stanley 2″ – Judge Grimm Imposes Prison Sanction for Spoliation by a Defendant Reminiscent of the Leader of “The Gang That Couldn’t Shoot Straight”

The sequel to Judge Paul Grimm’s landmark Victor Stanley case was issued September 9, 2010, and is one for the record books. Victor Stanley II has morphed from a search case, to a sanctions thriller. It records one of legal history’s strongest examples of lawyers behaving badly in e-discovery, so bad, in fact, that Judge Grimm ordered the spoliating party to jail.

… This 103-page opinion includes a 12-page chart summarizing spoliation sanctions law by Circuits. Judge Paul Grimm has, once again, considerably advanced the jurisprudence of discovery, this time in sanctions, a key area of law today.



This can't be correct, can it? The article gives no indication as to why this might be.

http://science.slashdot.org/story/10/09/13/1832216/Canadian-Government-Muzzling-Scientists?from=rss

Canadian Government Muzzling Scientists

Posted by Soulskill on Monday September 13, @02:54PM

"The Harper government has tightened the muzzle on federal scientists, going so far as to control when and what they can say about floods at the end of the last ice age. Natural Resources Canada scientists were told this spring they need 'pre-approval' from Minister Christian Paradis' office to speak with journalists. Their 'media lines' also need ministerial approval, say documents obtained by Postmedia News through access-to-information legislation. The documents say the 'new' rules went into force in March and reveal how they apply not only to contentious issues, including the oilsands, but benign subjects such as floods that occurred 13,000 years ago. They also give a glimpse of how Canadians are being cut off from scientists whose work is financed by taxpayers, critics say, and is often of significant public interest — be it about fish stocks, genetically modified crops or mercury pollution in the Athabasca River."



Is this what strikes fear into the hearts of newspaper owners?

http://techcrunch.com/2010/09/13/pew-news-online-print-newspapers/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Pew Research: More People Got Their News Online Yesterday Than From A Print Newspaper

The Pew Research Center, which regularly surveys U.S. consumers about their media consumption habits, put out a report which shows that more people are getting their news online than from print newspapers. In response to a survey question asking people where they got their news yesterday, 34 percent answered online versus only 31 percent from a daily newspaper.

… TV still rules with 58 percent. I think we will definitely crush radio by the time the next survey comes out. TV will be more difficult to conquer, especially if you believe, as Pew claims, that 21 percent of American adults do not use the Internet at all. [So at best, 42 percent are clueless? Bob]