Monday, January 02, 2012


I know there are many lawyers who have been waiting for a Y2K problem for at least 15 years, and this is all we could deliver?
Chaos as guests locked out of rooms at Denver hotel
… Room keys malfunctioned with the transition to the new year.
Denver Police say they were called to the hotel as fights broke out among frustrated guests.
One 9NEWS viewer says people were getting sick in the halls, and the elevators were not working.
Denver Police say there were no serious injuries.
The lock-out ended around 3 a.m. According to Marriott, they have comped the rooms for all of the guests due to the inconvenience.
9NEWS has also heard from one person in Hawaii who is staying at a Marriott. She says their entire hotel was also locked out around the same time.
Two other Denver Marriott hotels say they did not have those problems.


There should be a law...
Update on Care2 breach: how to delete the account(s) you didn’t know you had
January 1, 2012 by admin
The more some of us delve into the Care2 breach, the more it becomes clear that the only reason the social networking site can claim almost 18 million members is because many “members” never knowingly signed up as members and had their “membership” created for them without their knowledge or direct consent.
Following my post the other day, the individual who sent me the e-mail notification of the breach used the password retrieval mechanism to see what password Care2 showed for the account she had no recollection of creating. The password they sent her was one they had created for her “account.” Using that, she attempted to retrieve her profile. After being forced to do a password reset, she explored her profile and learned that the account must have been created after she had used the site several years ago to sign a petition. Her “profile” reflected the information she had provided in signing the petition.
At the same time that she was trying to figure out how she wound up with an account she never requested or explicitly authorized, Lee from CyberWarNews.info was sending Care2 public relations an e-mail asking them to comment on numerous complaints from people who also stated they had never knowingly created accounts. In response, they sent him a boilerplate reply, which he kindly forwarded to DataBreaches.net:
From: Randy Paynter
Date: Sun, Jan 1, 2012 at 3:30 AM
Subject: Re: Care2 Public Relations
Please forgive the nature of this automated response. We are working to help everyone as quickly as we can. The best way we can do this is to help you help yourselves using some tools we have made available. These will get you quicker service, and enable us to personally assist those of you who have outstanding requests.
*Unaware that you had an account at Care2.com?
*We sent a warning email about our recent hacking incident to everybody who had at some point in the past 12 years created an account on Care2.com or ThePetitionSite.com. You might not recall having ever done this, which would make our warning email confusing, however at some point in the past you or someone (not us!) created an account with the email address we sent the message to.
[...]
It would seem that people who used the site to sign a petition had a durable account created for them, without their knowledge or explicit consent. If they had consented, they would have created a password instead of what the site shows as the password.
So what did the site’s privacy policy say about use of The Petition Site? According to their privacy policy (archived in the Wayback Machine):
PetitionSite: Care2 owns and maintains the nonpartisan PetitionSite.com. Petition and Public Comment signers are required to provide certain personal information such as name, email address and often street address. This information is required to validate the petition / public comment. Care2 uses cookies and a signature database to provide data integrity and ease of use.
For petitions and surveys you’ve signed or completed, we treat your name, city, state, country and comments as public information—for example, we may provide compilations of petitions, with your comments, to the President and legislators, other targets, or to the press. Unless you have requested to be shown as ‘anonymous,’ this information will also be visible on the website. We will not make your street address publicly available, but we may transmit it to members of Congress, to other public officials, or to other targets as part of a petition to validate your signature. We may also make your comments, along with your first name, city, state and country, available to the press and public online.
Care2 hosts two kinds of petitions: free petitions sponsored by individuals and petitions sponsored by nonprofits.
For the free petitions, only the public information listed above is made available to the petition sponsors or targets.
For many of the petitions sponsored by nonprofits, we provide an advocacy service allowing individuals to send individual e-mails to public officials, legislators, and other targets as well as public comments to government agencies, through our website. These messages are sent in your name, with your e-mail address as the return address and your full name and contact information is provided as part of the submission. These messages will only be sent out under your name as you approve them on an individual basis by signing an action. You are solely responsible for the specific message(s) you send using our email tool. Optional comments will be included in the body of the email message delivered to the petition target.
During the signing process, you may opt to receive certain email newsletters and online memberships, in which case Care2 will send required contact information to those 3rd party providers. However, unless you specifically opt to receive such online offers or send your contact information to 3rd parties during the signing process, Care2 will keep your email address information confidential.
Is that what they view as creating an account because nowhere does it mention that an account is created for the individual or that they are now a “member.” They do note that the site was TRUSTe certified at the time. Big help that was, huh?
If you got caught up in this mess, you can cancel the account you never knew you had. Here’s how:
1. Login to http://www.care2.com/passport/login.html. Use the e-mail address that received the e-mailed breach notification. Click “forgot password” and have them send you a password. Login with that password and
2- Go to: http://www.care2.com/accounts/delete_this_account.html. Click the button to confirm deletion.
The person who contacted DataBreaches.net was fortunate in that the e-mail address used in signing the petition was still a working e-mail address. Others, who no longer have access to the e-mail addresses they had used are posting messages on Care2.com seeking help in getting back into the accounts so that they can see what information was stored about them in their public profile or so that they can delete their account.
I’ve had numerous discussions over the years with others about the need for explicit opt-in consent. This is just one more example of how people can wind up with their information in databases because they visited or used a site years ago, never knowing what they were getting themselves into.


What was the thinking (if any) that concluded they were not a significant target?
California Statewide Law Enforcement Association (CSLEA) hacked
January 1, 2012 by admin
I don’t know how you partied last night (if you did), but it looks like the AntiSec folks thoroughly enjoyed themselves by releasing data they acquired from the California Statewide Law Enforcement Association (CSLEA).
In a statement on the defaced site earlier in the evening, the hackers referred to the hack as being part of “pr0j3kt m4yh3m,” a response to local governments and law enforcement attacking the #Occupy protesters in cities and parks. But the hackers also offered a broader political justification:
From the murder of Oscar Grant, the repression of the occupation movement, the assassination of George Jackson in San Quinten prison, the prosecution of our anonymous comrades in San Jose, and the dehumanizing conditions in California jails and prisons today, California police have a notorious history of brutality and therefore have been on our hitlist for a good minute now.
Will there be some embarrassed members of CSLEA this morning? It’s likely, as the hackers read and then dumped personal e-mails. But perhaps the greatest embarrassment will be over the fact that even when they could reasonably anticipate an attack, CSLEA failed to prevent it and left too much sensitive information seemingly unencrypted and available:
Interestingly, CSLEA members have discussed some of our previous hacks against police targets, raising concern for the security of their own systems. However Ken [Ken Fair is the Computer & Networks Systems Technician for CSLEA -Dissent] deliberately made some rather amusing lies as to their security. He repeatedly denied having been hacked up until web hosts at stli.com showed him some of the backdoors and other evidence of having dumped their databases. We were reading their entire email exchange including when they realized that credit card and password information was stored in cleartext. This is about the time Ken changed his email password, but not before receiving a copy of the ‘shopper’ table which contained all the CCs. Too late, Ken.
In all fairness, they did make an effort to secure their systems after discovery of the breach. They changed a few admin passwords and deleted a few backdoors. Shut mail down for a few days. They also finally decided to set a root mysql password, but we got the new one: “vanguard”. We noticed that you got rid of the credit card table, and most of the users in your database. Still haven’t figured out how to safely hash passwords though: we really loved your change from ‘redd555′ to ‘blu444′. Clever.
But we still had shell on their servers, and were stealthily checking out the many other websites on the server, while also helping ourselves to thousands of police usernames and passwords (it’s how Special Agent Fred Baclagan at the California DOJ Cybercrimes Unit got humiliated last month). For two months, we passed around their private password list amongst our black hat comrades like it was a fat blunt of the dank shit, and now it’s time to dump that shit for the world to use and abuse. Did you see that there were hundreds of @doj.ca.gov passwords? Happy new years!!
All told, there were 1,076 e-mail addresses and clear-text passwords of people in California government (ca.gov), 321 of which were @doj.ca.gov addresses.
I won’t reproduce everything that was posted in the defacement, but note that they produced an internal exchange of e-mails about the security of the site and members’ information that was, with the clarity of hindsight, overly optimistic at best, and downright wrong at worst.
The hackers also revealed the “shoppers table” that was removed back in November after they discovered that there had been an intrusion. That table included first and last names, e-mail addresses, company and address, phone and fax numbers, and other information on purchases – including dozens of entries with credit card type, full credit card number, and credit card expiration date. The credit card data were in clear text.
/****************************************************************************
LOLOLOL SO MUCH FOR “ENCRYPTED MEMBER DATA”. DAMN KEN YOU DID HALF THE WORK
FOR US. AND DESPITE BEING AWARE OF THE BREACH, YOU STILL COULD NOT KEEP US OUT.
ON TO THE NEXT TARGET…. NEW YORK POLICE CHIEFS, OWNED AND EXPOSED !!!
****************************************************************************/
The passwords roster, uploaded to the web as part of the CSLEA data dump, includes 2,519 first and last names, usernames, clear-text passwords, e-mail addresses, and in some cases zipcodes.
In light of the security concerns law enforcement had after earlier attacks on other law enforcement agencies, AntiSec’s ability to get into CSLEA’s databases should be a source of embarrassment and concern to the organization. That AntiSec was able to continue to traipse around on their server after they became aware of the previous breach is well, bad.
I haven’t waded through the entire e-mail spool that was dumped, and will leave it to others to search to see if there are any “smoking guns.”
In the meantime, CSLEA is down and all you see if you try to connect to the home page is:
No web site is configured at this address


Because sometimes a Tweet is not enough?
Our favorite tech long reads of 2011


English, as she is spoke on the Internet?
An article in The New York Times highlights two growing collections of words online that effectively bypass the traditional dictionary publishing system of slow aggregation and curation. Wordnik is a private venture that has already raised more than $12 million in capital, while the Corpus of Contemporary American English is a project started by Brigham Young professor Mark Davies. These sources differ from both conventional dictionary publishers and crowd-sourced efforts like the excellent Wiktionary for their emphasis on avoiding human intervention rather than fostering it. Says founder Erin McKean in the linked article, 'Language changes every day, and the lexicographer should get out of the way. ... You can type in anything, and we'll show you what data we have.'
[From the Times article:
No modern-day Samuel Johnson or Noah Webster ponders each prospective entry there. Instead, automatic programs search the Internet, combing the texts of news feeds, archived broadcasts, the blogosphere, Twitter posts and dozens of other sources for the raw material of Wordnik citations, says Erin McKean, a founder of the company.


Might make those pesky 'word problems' easier...
… OpalCalc is an excellent calculation app for Windows computers with .NET 3.5 or higher installed. The app lets you type in your calculations as you normally would on a piece of paper – by indicating which value belongs to which item/expense. Your total is then easily calculated using the dedicated word ‘total.’ You can also assign values to variables and use those variables to calculate formulas.
… OpalCalc offers a free version with a “5 line per calculation” limit. The Pro version removes this limit and can be obtained by donating the app any amount through PayPal.