Another “Lawyers are evil” rant? If no one goes after the Breachers, what incentive do they have to “repent and reform?” It seems likely that courts (juries) have undervalued the damages. Can't wait to see if we can correct that in the http://privacyfoundation.org/ Nov. 4^th Seminar...

http://www.pogowasright.org/?p=25099

Exploiting Privacy Breaches

October 18, 2011 by Dissent

I recently commented on the rush to class action lawsuits that seems to have become the norm. Today, I was interested to see this column by John Halamka, MD, CIO, CareGroup Health System, Harvard Medical School. He writes, in part:

As with any profession there are those attorneys who use the law for personal gain. Here’s a list of privacy breach class action suits, comparing payments to attorneys versus their clients.

There are many good investors. Accelerating new technology by providing funding to those who can build high value businesses is a good thing. As with any profession, there are investors who put profits ahead of societal benefits.

I’ve heard discussion about an alarming new business model. Investors paying attorneys to file class action suits related to privacy breaches in return for a portion of the profits.

[...]

Investing in class action suits that asymmetrically benefit the finance and legal professions is not something that benefits society.

Read more on Healthcare Finance News. Although John is talking about the healthcare sector and as an insider, his points might seem a bit self-serving, I agree with him and his point applies equally well to other sectors. I think that those who are really sloppy with security and privacy protections should experience consequences and consumers should be compensated for any harm, time, or stress they incur as a result of negligent security or privacy practices, but most class action lawsuits really benefit no one but the plaintiffs’ attorneys. All these suits will do in the long run is discourage entities from coming clean about breaches, and then we all lose.

Interesting (even though I have omitted a bunch of detail) this still looks like one to track.

http://www.pogowasright.org/?p=25076

Aspiring actress sues IMDB and Amazon for revealing her true age and for misusing her credit card details to obtain it

Venkat Balasubramani kindly pointed me to this Jane Doe lawsuit against Amazon and its subsidiary, IMDB.com.

If I understand the thrust of the complaint, Doe, an aspiring actress, had registered with IMDB.com using her stage name. When she upgraded to IMDBpro, however, she was required to provide a credit card number, and with it, the name on the credit card – her real name. Doe believed that the information would be kept confidential, but IMDB.com subsequently revealed her real date of birth in their database. Doe claims that IMDB and Amazon obtained her real birthdate by aggregating public sources based on the credit card data. She alleges that IMDBpro’s privacy policy had not indicated that other sources of information that they might collect would result in public disclosure of her private facts.

… So I trotted off to look at IMDBpro’s signup process and subscriber agreement. The service’s privacy policy says, in relevant part:

… Information from Other Sources: For reasons such as improving personalization of our service (for example, providing better movie recommendations or special offers that we think will interest you), we might receive information about you from other sources and add it to our account information. We also sometimes receive updated delivery and address information from other sources so that we can correct our records and deliver your next communication more easily

… That Amazon/IMDBpro would aggregate public records – assuming for now that they have, indeed, done that – does not surprise me.

That they would reveal personal information such as date of birth in a public profile without the consent of a subscriber does surprise me as there is nothing in their privacy policy that would appear to permit that. Or are they now the True Age Police?

That they would refuse to remove the information when made aware of the concern/complaint is mind-boggling. Even though their privacy policy does say “we might receive information about you from other sources and add it to our account information,” I do not think that most subscribers would interpret that to mean that information thus added would be publicly disclosed.

Another interesting case to watch.

“Nah nah na nah nah, you can't hack me!” Which part of “Never challenge a hacker” didn't you understand? (My Ethical Hackers will be pleased to know Chapters 18-21 are apparently unknown to DHS.)

http://www.thetechherald.com/article.php/201142/7747/DHS-Anonymous-lacks-the-skill-to-harm-ICS-stability

DHS: Anonymous lacks the skill to harm ICS stability

A NCCIC (National Cybersecurity and Communications Integration Center) bulletin issued in September, released by PublicIntelligence.net on Monday, says that Anonymous has taken an interest in Industrial Control Systems, but that’s about it.

Actual harm to ICS stability is limited, the NCCIC notice says, because Anonymous lacks the skill to target anything other than Web-facing applications and access.

Perhaps we could create an automated rating service here – This App Policy contains 82% of the minimum recommended protections?

http://www.pogowasright.org/?p=25077

Draft Mobile Application Privacy Policy released by the Mobile Marketing Association

October 17, 2011 by Dissent

The Mobile Marketing Association (MMA) has released a draft Mobile Application Privacy Policy for public comment. You can read the accompanying press release here.

There are lots of ex-military in my Ethical Hacking classes, but I doubt any of them would buy these arguments. From a Political perspective, the problem with a cyber attack is, it doesn't show up dramatically on the evening news.

http://www.wired.com/threatlevel/2011/10/us-considered-hacking-libya/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

U.S. Considered Hacking Libya’s Air Defense to Disable Radar

Officials in the Obama administration considered launching a cyber offensive against Libya’s computer networks last March as part of the NATO-led air strikes against the Qaddafi regime.

The cyberattack would have involved breaking through the firewalls protecting Libyan computer networks in order to disrupt military communications and thwart early-warning radar systems that would detect planes coming in for a strike.

The officials and military officers ultimately decided against the plan out of fear that it would set a precedent for other nations to use similar techniques, [Highly unlikely. Bob] according to the New York Times. There were also unresolved questions about whether President Obama had the power to approve such an attack without first informing Congress, and whether there was sufficient time to conduct digital reconnaissance and write the attack code that would have been required to pull off such an attack.

… Had the computer-network attack against Libya gone ahead, administration officials told the Times they were confident the attack code could have been contained within Libya’s networks and not spread to other networks to cause collateral damage.

Such questions have become central to cyberwarfare discussions in the wake of the Stuxnet computer worm – a piece of malware that was launched in 2009 against computers in Iran to disrupt that country’s uranium enrichment program.

Stuxnet spread beyond the targeted systems, however, infecting more than 100,000 computers throughout Iran, India, Indonesia and elsewhere. Because the worm was skillfully crafted to affect only systems operating at one of Iran’s nuclear enrichment plants, it did not harm the other systems it infected.

[From the NYT article:

While popular fiction and films depict cyberattacks as easy to mount — only a few computer keystrokes needed — in reality it takes significant digital snooping to identify potential entry points and susceptible nodes in a linked network of communications systems, radars and missiles like that operated by the Libyan government, and then to write and insert the proper poisonous codes. [First, cyber attacks ARE easy to mount (ask any script kiddie) what is difficult is a subtle cyber attack. Second, let's not pretend that we have not carefully explored the computer networks of any potential adversary. That's just insulting. Bob]

This is inevitable, so we might as well start paying attention...

http://news.cnet.com/8301-13579_3-20121879-37/for-ipads-in-the-enterprise-hassles-aplenty/

For iPads in the enterprise, hassles aplenty

In various talks yesterday, Gartner analysts highlighted a series of gotchas that need to be considered before jumping on the enterprise tablet bandwagon. Among the key issues:

• Apple iPads and tablets may require a Microsoft license.
• Securing iPads and tablets may require new skills.
• Formatting.
• Companies need to come up with consumption policies and new ways to present information.
• Hosted virtual desktops don't solve everything.
• Apple isn't an enterprise player.

Perspective: Twits are everywhere!

http://techcrunch.com/2011/10/17/twitter-is-at-250-million-tweets-per-day/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Twitter Is At 250 Million Tweets Per Day, iOS 5 Integration Made Signups Increase 3x

Twitter CEO Dick Costolo has just dropped some numbers at a speaker dinner here at Web 2.0 Summit in San Francisco. Costolo revealed that the company has gone from 90 million tweets per day in September of 2010 to 100 million at the beginning of this year to 1/4 billion tweets per day as of today, a 177% percent change. Twitter is now serving up a billion tweets every 4-5 days, Costolo said.