Are they suggesting a cover up by the former director? Sure sounds like it. What use would they be?
http://www.pogowasright.org/?p=21834
All of East Chicago Public Library’s records on stolen drives
March 21, 2011 by Dissent
Wow. Steve Zabroski reports:
East Chicago – Indiana State Police arrived at the East Chicago Public Library on Friday afternoon to investigate the reported theft of computer hard drives holding all the library’s records, but the library’s former director said nobody told him about missing equipment.
Manuel “Manny” Montalvo was abruptly fired by library trustees late Wednesday in an action he characterized as illegal, just one month after a previous group of trustees had extended his contract through 2013.
Employees taking inventory Thursday after the change in administration called city police to the main library branch, 2401 E. Columbus Drive, after allegedly discovering hard drives missing from the library’s main computer room and the desktop computer in the office of the library director.
[...]
A locksmith called by Library Board President Clifton Johnson was on the scene opening doors and changing locks, and finally managed to get into the director’s office about 2 p.m., when employees were able to confirm that that drive, too, was physically missing.
Read more on NWI.com
If all of the library’s records means, quite literally, all of their records, this is one horrific breach – not only because of employee personnel information and records that could be on the drives, but have all of the library patrons’ records been stolen, too, showing what they read and when?
If anyone sees a follow-up on this one, please let me know!
Another interesting breach
http://www.pogowasright.org/?p=21838
Play.com joins ranks of firms with breaches of customer email addresses
March 22, 2011 by Dissent
Online retailer Play.com has been accused of leaking its customers’ email addresses to spammers.
Many customers reported receiving a spam email yesterday, offering an Adobe Reader upgrade which requires registration and payment. Some of these emails were sent to unique email addresses that have only been used at play.com, [Think of this as the “canary in the mine” test for security breaches. Bob] suggesting that the spammer had access to private customer details.
Most complaints relate to an email with the subject line “Get more done, much faster, with Acrobat X PDF Reader. Upgrade Available Now“
Read more on Netcraft.
Play.com has now acknowledged the breach. Patrick Goss reports:
Play.com, one of Britain’s best known online retailers, has suffered a security breach that has compromised customer’s email addresses and names.
Play has issued an email to customers admitting the problem and blamed its third-party marketing communications company for the leak.
Read more on TechRadar. The marketing firm was not named.
There seems to a goodly number of complaints concerned hacked or leaked names email addresses (and in some cases, passwords!) these days. I haven’t covered most of them on DataBreaches.net, but this is the second complaint I’ve received like this this just this week involving people who used site-specific email addresses receiving spam and suspecting a leak or breach.
The other complaint I received this week was from a reader who has been receiving a number of spams and 419 attempts to an address that he created specifically for ProFlowers.com. ProFlowers.com did not respond to a request I sent them last week asking to speak to someone about the concern, and I have no idea if that situation could possibly be related to a breach involving SilverPop, a company that handles businesses email marketing lists, or if it’s wholly unrelated as SilverPop never released a list of affected clients after their breach. But we’ve seen a number of brick-and-mortar as well as online businesses like dating sites have their user lists or customer lists seemingly compromised in the past few months. Some of them may have been for personal reasons (e.g., Gawker was specifically targeted to teach them a lesson), while others may have been compromised for purposes of spamming.
Whatever’s going on, this is a good time to change passwords on accounts that you care about. Using site-specific passwords and usernames is also a good idea, as it will help you contain any damage should a user list be compromised and it will help you identify which company had the breach.
Small numbers, but great physical risks...
http://www.databreaches.net/?p=17164
UK: Security scare as council loses memory stick containing medical info and access codes to the homes of thousands of vulnerable people
March 22, 2011 by admin
The Daily Mail reports:
A council has lost a memory stick containing home security codes and medical information for thousands of elderly people. The data device holds the medical details on 4,000 people looked after by Leicester City Council support service as well as 2,000 key codes which can be used to gain access to their homes.
The codes, used by LeicesterCare, the council service that supports vulnerable people, open outside boxes that contain keys to people’s front doors.
The council launched an operation to reset all the codes after admitting they lost the data more than two weeks ago in a massive security breach.
The memory stick, used to back up information on council computers, was supposed to be locked in a safe every night.
But council staff reported it missing to the Information Commissioner’s Office (ICO) on March 9 – four days after it disappeared.
Read more on Daily Mail. It’s not totally clear to me whether the data were encrypted or otherwise adequately secured. On the one hand, they’re notifying everyone and changing access codes, which suggests that it’s not encrypted. But there’s also this statement in the story, attributed to a council spokesperson:
‘However, while we have been assured by our supplier the information on the device is not accessible to anyone who may find it, [Why not? Because you need a computer? Bob] we are taking every precaution and we are urgently carrying out changes to the keysafe codes of around 2,000 users.
Insuring the Cloud. It would be interesting to see how they define it...
http://www.databreaches.net/?p=17161
Data Breach in the Clouds
March 22, 2011 by admin
David Navetta writes:
I was recently provided an opportunity to write the lead article for Hisox’s new “global technology news” publication. Hiscox is one of the leading international insurers of “cyber risk” (a.k.a.data security and privacy insurance) and has taken an active role in understanding and insuring this risk. Their expertise lead them to focus on the challenges of breach/incident response in the Cloud (among other cloud computing issues).
Read more on InformationLawGroup.
I wonder how much effort (expertise and treasure) is being expended here.
http://www.nytimes.com/2011/03/22/world/asia/22china.html?_r=1
China Tightens Censorship of Electronic Communications
A host of evidence over the past several weeks shows that Chinese authorities are more determined than ever to police cellphone calls, electronic messages, e-mail and access to the Internet in order to smother any hint of antigovernment sentiment. In the cat-and-mouse game that characterizes electronic communications here, analysts suggest that the cat is getting bigger, especially since revolts began to ricochet through the Middle East and North Africa, and homegrown efforts to organize protests in China began to circulate on the Internet about a month ago.
… Several popular virtual private-network services, or V.P.N.’s, designed to evade the government’s computerized censors, have been crippled.
… In an apology to customers in China for interrupted service, WiTopia, a V.P.N. provider, cited “increased blocking attempts.” No perpetrator was identified.
Beyond these problems, anecdotal evidence suggests that the government’s computers, which intercept incoming data and compare it with an ever-changing list of banned keywords or Web sites, are shutting out more information. The motive is often obvious: For six months or more, the censors have prevented Google searches of the English word “freedom.”
Gosh, maybe students do have some privacy rights... I don't even what to ask what rights Mom and Dad might have to communicate with their child.
http://www.pogowasright.org/?p=21844
Texas Teen Scores Legal First in ‘Sexting’ Privacy Case
March 22, 2011 by Dissent
Matthew Heller writes:
A Texas teenager has taken a major step toward winning her privacy lawsuit against an assistant middle school principal who searched the contents of her cell phone, finding a nude photo of her. [Does that immediately make him a “possessor of Child Pornography?” Bob]
Alexis Mendoza, then an eighth-grader at Kimmel Intermediate School in Spring, Texas, admitted sending the photo to a boy because he had sent similar photos to her. She sued the principal, assistant principal and school district in December 2009, alleging the search of her cell phone went beyond what was reasonable to determine whether she had been using it during school hours to send text messages.
Read more about this case on OnPoint. The court seemed to uphold the school’s right to search for non-content information because they had reasonable suspicion that the student used the phone during school hours on school premises, in violation of school policy. But the judge held that the right to search did not extend to the content of those messages.
If you care about student privacy and Fourth Amendment issues, this is a good case to watch, and Matthew Heller provides links to relevant court documents.
I must admit, their strategy baffles me. You are limited to 20 articles per month except you aren't if you get there by following a Blog link, but it does screw you up if you go to the “Official Times” site and try to use that... Huh???
http://techcrunch.com/2011/03/21/pay-sieve/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29
All Blog Links To The New York Times Will Be Freebies. This Could Get Ugly.
It’s not news that the New York Times payfence isn’t much of a fence. We’ve already written about the Facebook and Twitter loophole, but it turns out that the loophole is more like a loop chasm.
NYT head Martin Nisenholtz told AllThingsD’s Peter Kafka on Friday that all blog links will render stories accessible for non-subscribers. [Thanks, I think... Bob] And while blog and social media referral visits will count towards the 20 free articles a month allotted, Times articles will not be blocked if a user goes over their limit and clicks on a Times link from an aggregator like Digg or Reddit or a blog like TechCrunch. Users will, however, be out of luck if they subsequently try to go to the Times’ website directly that month.
Who came up with this idea? Did Equifax “sell” them the idea or is it already being used in other government areas?
http://www.washingtonpost.com/local/us-may-strengthen-identity-verification-system-for-workers/2011/03/21/ABH8Si8_story.html
U.S. may strengthen identity verification system for workers
The federal government is exploring the possibility of using a credit rating giant like Equifax to verify the identity of American workers, a move that could make it far more difficult for undocumented immigrants to get work using stolen Social Security numbers.
The plan by the Department of Homeland Security, which is still preliminary and would probably require congressional approval, could have far-reaching consequences. The government already allows employers to check the legal status of employees using a system known as E-Verify, but hundreds of thousands of undocumented immigrants beat the system by using stolen Social Security numbers.
… On Monday, the government announced that it would begin allowing individuals in the District, Virginia and four other states to voluntarily use a system provided by Equifax to verify their identity. Once they did that, they could access a federal database to verify their authorization to work. The move will help the small number of legally authorized immigrants and U.S. citizens who encounter problems each year when an employer runs their Social Security numbers through the E-Verify system. [Is this an admission that e-Verify isn't working properly? Bob]
By giving workers the ability to check their records before they apply for a job, authorities said that citizens and immigrants who are authorized to work will be able to take care of spelling mistakes and other common errors. The voluntary program will be piloted in the District, Virginia, Arizona, Colorado, Idaho and Mississippi. It will be expanded nationwide in the coming months.
Implications for whistle blowers.
http://www.pogowasright.org/?p=21828
Ex-Employee’s Blogs Can’t Be Stopped Absent Extraordinary Circumstances, New York Court Rules
March 21, 2011 by Dissent
Joseph Lazzarotti and John Snyder comment on Cambridge Who’s Who Publishing v. Sethi, a case recently covered on DataBreaches.net because of its reference to an alleged data breach that had never been reported in the media. Of significance to me, the court ruled that Cambridge Who’s Who could not get an injunction that would stop its former employee from writing about a data breach that occurred while he was employed by them, nondisclosure agreements notwithstanding. As I noted in my comments, I was pleased that the judge appreciated the significance of data breaches to the public and that such revelation would be protected speech.
Lazzarotti and Snyder discuss the case from the perspective of workplace law on Workplace Privacy Data Management & Security Report. They write, in part:
Cambridge provides employers with several significant lessons.
First, it is instructive of the enforceability of a non-solicitation-of-customers provision that it enforced by injunction.
Second, absent compelling facts constituting “extraordinary circumstances,” courts generally are reluctant to enjoin or restrain speech that may be protected by the First Amendment.
Third, the decision raises two key points about data security:
Companies that experience an unauthorized access to or acquisition of personal information that they possess may be required to report the unauthorized access to affected individuals and certain state agencies. In New York, there are three state agencies that must be notified in cases of certain breaches of personal information: Office of Cyber Security, Attorney General’s Office, and Consumer Protection Board.
Likewise, companies must take appropriate steps when employees complain about or raise data-security issues. In at least two court decisions, one in New Jersey and the other in California, employees were permitted to proceed with claims of employment retaliation upon asserting they have suffered an adverse employment action after their complaints about data security at their companies.
What I find intriguing is that this breach was never reported to the New York State Consumer Protection Board, even though there seems to be some documentation from one of the vendors that would seem to confirm that data went missing. Cambridge Who’s Who has not responded to an email request for a statement or clarification on these allegations, but I will keep trying to find out what, if anything, happened there.
This suggests companies with a high cost of customer acquisition should have the best security.
http://www.databreaches.net/?p=17152
2010 Annual Study: U.K. Cost of a Data Breach
March 21, 2011 by admin
This 2010 Ponemon Institute benchmark study, sponsored by Symantec Corporation, examines the costs incurred by 38 organisations after experiencing a data breach. Results were not hypothetical responses; they represent cost estimates for activities resulting from actual data loss incidents. This is the fourth annual study of this issue.
Breaches included in the study ranged from 6,900 records to 72,000 records from 13 different industry sectors.
And because some of us having been looking more closely at the issue of whether churn rates and “harm” are being objectively measured and reported, here’s what the study says on churn:
Customer turnover in direct response to breaches remains the main driver of data breach costs: Abnormal churn or turnover of customers after data breaches appears to remain the dominant data breach cost factor. Regulatory compliance helps lower churn rates by boosting customer confidence in companies’ IT security practices.
Average abnormal churn rates across all 38 incidents dropped a point to 3 percent. The sectors with the highest 2010 churn rate were communications, financial and services, all at 7 percent. The industries with the lowest abnormal churn rates were transportation (2 percent), consumer and retail (each at 1 percent) and public sector (less than 1 percent).
Once again, though, churn rate is merely the estimate of the interviewee and does represent verified data.
You can download the full report from Symantec’s site.
For my Data Analysis students
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1789749
Tragedy of the Data Commons
Jane Yakowitz Brooklyn Law School March 18, 2011
Abstract:
Accurate data is vital to enlightened research and policymaking, particularly publicly available data that are redacted to protect the identity of individuals. Legal academics, however, are campaigning against data anonymization as a means to protect privacy, contending that wealth of information available on the Internet enables malfeasors to reverse-engineer the data and identify individuals within them. Privacy scholars advocate for new legal restrictions on the collection and dissemination of research data. This Article challenges the dominant wisdom, arguing that properly de-identified data is not only safe, but of extraordinary social utility. It makes three core claims. First, legal scholars have misinterpreted the relevant literature from computer science and statistics, and thus have significantly overstated the futility of anonymizing data. Second, the available evidence demonstrates that the risks from anonymized data are theoretical - they rarely, if ever, materialize. Finally, anonymized data is crucial to beneficial social research, and constitutes a public resource - a commons - under threat of depletion. The Article concludes with a radical proposal: since current privacy policies overtax valuable research without reducing any realistic risks, law should provide a safe harbor for the dissemination of research data.
(Related) An application of Data Mining/Data Analysis. Matching you work email to your personal grocery purchases... A piece of cake.
http://techcrunch.com/2011/03/22/googlers-buy-more-junk-food-than-microsofties-and-why-rapleaf-is-creepy/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29
Googlers Buy More Junk Food Than Microsofties (And Why Rapleaf Is Creepy)
If you weren’t creeped out by data-mining startup Rapleaf after reading about their ways in a relatively unsettling Wall Street Journal article published last October (“The San Francisco startup says it has 1 billion e-mail addresses in its database”), chances are you will be now.
For its latest ‘study’, Rapleaf has tapped its database of identifiable information to extract a sample of 6,000 Google employees (email addresses ending in @google.com) and 16,000 Microsoft employees (email addresses ending in @microsoft.com) and subsequently analyzed their grocery purchase behavior in partnership with an unnamed loyalty cards aggregator.
Of course, we don't need anything as obvious a email or cookies to identify you.
http://www.pogowasright.org/?p=21849
Device Fingerprinting Raises Privacy Fears
March 22, 2011 by Dissent
Jack Marshall reports:
Privacy advocates have expressed concern about device fingerprinting, an emerging technology that allows advertisers to uniquely and persistently identify connected devices such as computers, smartphones, and tablets.
When sending or receiving data, connected devices transmit pieces of information about their properties and settings, which can be collected and pieced together to form a unique, persistent “fingerprint” for that specific device.
Once a device has been assigned a fingerprint, advertisers can use that ID to track its behavior as it moves across the web, providing similar functionality to a cookie. The strength of a fingerprint, however, is that it tracks the device itself rather than the cookie placed on it, meaning it cannot be deleted or lost, and can – in theory – remain consistent for the life of a device.
Read more on ClickZ
Another front in the “You don't buy books, you license them” war.
http://yro.slashdot.org/story/11/03/22/0231214/Amazon-Stymies-Lendle-E-book-Lending-Service?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
Amazon Stymies Lendle E-book Lending Service
"CNET quotes Lendle co-founder Jeff Croft: 'They [Amazon] shut the API access off, and without it, our site is mostly useless. So, we went ahead and pulled it down. Could we build a lending site without their API? Yes. But it wouldn't be the quality of product we expect from ourselves.' Croft also said 'at least two other Kindle lending services got the same message' yesterday.'"
(Related) Publishers face the same future as the Music Labels. Is there a similar solution?
http://news.slashdot.org/story/11/03/22/0125218/Best-Selling-Author-Refuses-500k-Self-Publishes-Instead?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29
Best-Selling Author Refuses $500k; Self-Publishes Instead
Last week we discussed an IT book author's adventures in trying to self-publish. Now, an anonymous reader points out an article examining another perspective:
"Barry Eisler, a NY Times best-selling author of various thriller novels, has just turned down a $500,000 book contract in order to self-publish his latest work. In a conversation with self-publishing aficionado Joe Konrath, Eisler talks about why this makes sense and how the publishing industry is responding in all the wrong ways to the rise of ebooks. He also explains the math by which it makes a lot more sense to retain 70% of your earnings on ebooks priced cheaply, rather than 14.9% on expensive books put out by publishers."
A milestone...
http://techcrunch.com/2011/03/22/boom-professional-social-network-linkedin-passes-100-million-members/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29
Boom! Professional Social Network LinkedIn Passes 100 Million Members
(Related) Mapping your professional connections.
http://www.makeuseof.com/tag/3-ways-meaningfully-visualize-linkedin-network/
3 Ways To Meaningfully Visualize Your LinkedIn Network
We are going to put this on every computer at the University.
http://www.makeuseof.com/tag/microsoft-mathematics-40-advanced-calculator-tool-students-love/
Microsoft Mathematics 4.0 – An Advanced Calculator Tool That Students Love
With a simple program from Microsoft named Microsoft Mathematics 4.0, you have the full power of a graphing calculator – and more – right at your computer.
… When you launch the program you have an interface that is very similar to any other graphing calculator. You can enter your numbers and calculations directly into the program by either pressing the buttons with your mouse or just typing it in.
… You can also draw your calculations and Mathematics will try to decipher your drawing into an equation. This is helpful if you receive an problem but don’t know exactly how to enter it into the program. It works fairly well, but does have some difficulty decoding some more complicated equations.
… Another interesting portion of the program is the equation solver. Once you type in an equation it will help you step through to solve it for one of the variables you have listed.
If you are interested in learning how you can apply Microsoft Mathematics to help your child or student learn mathematics, Microsoft offers this free guide to give you learning ideas.
The Equation Library built into the program also gets you started on some interesting ways you can enter data into the program.
… Microsoft Mathematics 4.0 can be downloaded here and is free. It is only available for Windows, however if you have VirtualBox you will be able to run it on any other OS.