Thursday, December 31, 2009

"Reasonable Expectation" of email privacy extended to workplace

A few months ago personal email was given the same privacy status as postal mail. On December 10th the U.S. District Court of the District of Columbia ruled that an employee's personal email sent on company equipment can have the same expectation - if certain conditions are met. The case was Convertino v. US Dep't of Justice, and stemmed from the DOJ's desire to access personal emails that an employee had sent to his lawyer from work. He argued attorney client privilege, the DOJ argued he could have no expectation of privacy with email he sent from work. The judge ruled that the employee did have a reasonable expectation of privacy. The decision was based on these points:

* DOJ's computer use policy did not prohibit personal use of the DOJ email system.
* The employee took steps to delete the privileged emails promptly.
* The employee was not aware that DOJ's system retained a copy of the emails after he had deleted them.

This is a good thing, but it has downside. If you're employers make it clear that company policy prohibits personal use of company email, absolutely any email sent through your company is fair game. If you don't delete the emails promptly, they could become fair game, even if there is no policy against personal use of email.

The best way to handle the pitfalls of using company email to send personal messages is, don't, but if you have to, this gives you some possibilty of keeping the messages private.

Wednesday, December 30, 2009

He should work for Homeland Security

Frank Janosko was sentenced to 18 months for hacking a prison computer while he was incarcerated at the Plymouth County Correctional Facility (PFFC) in Plymouth, Massachusetts. He was granted access to the "thin client" computer that only ran a program to allow inmates to do legal research. Mr. Janosko used a quirk in the software to send email and find information on over a thousand PFFC employees. I talked Monday about the U.S. government having trouble finding people with cyber security skills. This guys looks like a natural born pentester. Maybe they should hire him.

Tuesday, December 29, 2009

Transportation Insecurity revisited

December 25th, Christmas day. Umar Farouk Abdulmutallab boarded Delta/Northwest flight 253 carrying common, easily detected explosives. The man was suspected to have terrorist ties and was even on the terrorist watchlist. According to some reports his father had reported concerns about his sons radical views.  According to the authorities, they couldn't find enough evidence to warrant placing him on the no fly list.


I could understand not placing much weight on allegations by a business rival, former lover, or something like that, but this was the mans father. If that doesn't warrant extra consideration, what does it take, setting off a bomb?

Oh, wait, that is what it took.

We don't need more manpower for our security. We probably don't need more money. We need fewer people but with more brains.

UPDATE: Two of the Yemeni Al Qaeda leaders responsible for this attack were released from Guantánamo Bay in 2007. They released into Saudi custody, where they underwent (unsuccessful?) rehabilitation. Is closing it Gitmo really a good idea, Mr. President?

Update II: President Obama has recognized the danger. In a statement reported by the AP (via yahoo news) he says,

"It now appears that weeks ago this information was passed to a component of our intelligence community but was not effectively distributed so as to get the suspect's name on a no-fly list. Even without this one report, there were bits of information available within the intelligence community that could have and should have been pieced together."

Again, the problem isn't lack of information, it's communication between agencies and departments within agencies. 8+ years later, and we're still fighting this problem.

[edited at 8:10 am with new information by Bert]
[edited again at 5:05 pm to include Obama quote]

Monday, December 28, 2009

Do you have the skills?

The feds are looking for people with the skills necessary to move the U.S. into the 21st century, cybersecurity wise. If you have the skills to help secure our networks and a security clearance, you can make some pretty good money, even if you don't have a ton of experience. You do have to have some, but the main point is that you have some experience and a security clearance. Cyber attacks have tripled recently, but cybersecurity talent with security clearance is so rare that government agencies and government contractors are fighting for the same people, and the government can't compete.

The governments inability to pay competitive salaries is hurting our ability to protect important data. The problem isn't being able to figure out how the bad guys might get at it, it's in figuring out how to close the holes we can find. And the ability to respond to a breach varies widely from department to department. The State Department has well equipped and trained staff who can respond quickly, determine the attack vector, and plug the hole, then analyze and determine was to prevent similar attacks in the future. The Commerce Department, which handles data every bit as sensitive as State, lacks similar equipment and training. Both suffered serious breaches. State was able to determine how it was done and prevent data theft. Commerce was never able to determine how the attack was pulled off, although they say no data was compromised. But they still replaced hundreds of workstations.

This is a serious problem. Organized crime and hostile governments (note: in this context, all other governments are hostile) are marshalling major resources at cracking the security in U.S. government and private corporate facilities. It is not the governments place to protect private companies (nor should it be), it is of paramount importance that government agencies are able to keep data safe from prying eyes. Their databases contain information that could do irreparable damage to our ability to compete in the marketplace. They contain data on research in all types of technology that we would not want falling into enemy, and maybe not even friendly, hands. If there is any one area we cannot afford for our government to skimp on, it is national security, and part of that is making sure that we have the best cybersecurity experts providing the best policies and procedures for preventing breaches, and when they do occur, detecting, plugging, and cleaning up after quickly and efficiently.

Thursday, December 24, 2009

Merry Christmas, everyone

Or Happy Hanuka. Whatever holiday you celebrate this time of year, enjoy it. I'll be back Monday

Wednesday, December 23, 2009

I guess he's never heard of blinds...

Erick Wililamson decided to spend a morning in the buff packing and drinking coffee. Trouble is, on this fine October morning, two women saw him through the windows of his home, and didn't think highly of his unusual morning ritual. He was convicted of public indecency, but given a suspended sentence and no fine. Not satisfied, Mr. Williamson is appealing, saying he never intended anyone to see him. His lawyer says that neither of the conditions required for an incident to be considered obscene by Virginia law. Those requirements are "an obsene display or exposure"  and must be in a "public place or place where people are present."

I'm no lawyer, but when people see you from the street it seems to me that you should either be putting on clothes or buying drapes. And you definitely shouldn't be singing loudly or rattling things around. And I almost hope an appeals court gives him some jail time and a fine, because he obviously needs to be educated on how to respond to a lenient court.

Tuesday, December 22, 2009

Twitter hacked via email

Twitter was hacked and their DNS data changed. The trick was done through a compromised email account. This isn't the first time something like this has happened to Twitter. It makes me wonder just how safe social media really is, if security failure is just one weak password away.

Monday, December 21, 2009

Netflix: Outing the Gay and Lesbian community since 2006.

Privacy policies - almost nobody reads them. When it comes to social networks and online services they almost all give the service provider the right to release "anonymized" data. Several places reported today that a class action suit against Netflix has been initiated because the data they are releasing can actually be tracked back to the original user. I first read of it in Wired's Threat Level blog, but one of the most detailed stories is at Ars Technica.

It seems the problem stems from a contest Netflix launched in 2006. It released two sets of data for contestants to manipulate. The goal was for someone to design an algorithm that would be 10% better at predicting the reviews a person would make for other movies based on the review they gave movie(s) in the data sets. The problem is, video rental data is legally among the most protected in the U.S. The allegation is that by releasing the "anonymized" data Netflix violated those laws. One of the plaintiffs is an in-the-closet lesbian mother who fears that the data released could out her and have bad effects on her ability to support her family. She has good reason to be concerned. The Netflix context took place a few months after "anonymized" data from AOL was used by reporters to identify AOL users. So it really wasn't very surprising that just a few weeks after Netflix started it's contest researchers were able to identify Netflix users - along with their political leanings and sexual orientation. Oops.

The second part of the lawsuit seeks to prevent the launch of the next contest. Living proof that stupidity is a life long problem (and corporations can live a long time), Netflix wants to provide more "anonymized" data this time. And that data will include zip code, age, and gender. When you combine that with the movie ratings and ID numbers it will be more than enough data to ID Netflix customers. Again.

The bad thing about all of this...well, one of the bad things, is that it has been obvious for years that the traditional 'scrubbing' of data is no longer adequate for anonymizing. Mark Dixon looks into the history of re-identifying data and sees that if data continues to be handled the way it is now, every time any company releases anonymized data they are releasing re-identifiable data.

Unless you are up for canonization by the Catholic Church, that should scare the bejeezus out of you.
<!-- /* Font Definitions */ @font-face {font-family:Times; panose-1:2 0 5 0 0 0 0 0 0 0; mso-font-charset:0; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 0 0 0 16777216 0;} @font-face {font-family:Cambria; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-alt:"Times New Roman"; mso-font-charset:77; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:auto; mso-font-signature:3 0 0 0 16777216 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin-top:0in; margin-right:0in; margin-bottom:10.0pt; margin-left:0in; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-ascii-font-family:Cambria; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:Cambria; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Cambria; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {mso-style-noshow:yes; color:purple; text-decoration:underline; text-underline:single;} p {mso-margin-top-alt:auto; margin-right:0in; mso-margin-bottom-alt:auto; margin-left:0in; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ascii-font-family:Times; mso-fareast-font-family:Cambria; mso-fareast-theme-font:minor-latin; mso-hansi-font-family:Times; mso-bidi-font-family:"Times New Roman";} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> Privacy policies - almost nobody reads them. When it comes to social networks and online services they almost all give the service provider the right to release "anonymized" data. Several places reported today that a class action suit against Netflix has been initiated because the data they are releasing can actually be tracked back to the original user. I first read of it in Wired's Threat Level blog, but one of the most detailed stories is at Ars Technica.

It seems the problem stems from a contest Netflix launched in 2006. It released two sets of data for contestants to manipulate. The goal was for someone to design an algorithm that would be 10% better at predicting the reviews a person would make for other movies based on the review they gave movie(s) in the data sets. The problem is, video rental data is legally among the most protected in the U.S. The allegation is that by releasing the "anonymized" data Netflix violated those laws. One of the plaintiffs is an in-the-closet lesbian mother who fears that the data released could out her and have bad effects on her ability to support her family. She has good reason to be concerned. The Netflix context took place a few months after "anonymized" data from AOL was used by reporters to identify AOL users. So it really wasn't very surprising that just a few weeks after Netflix started it's contest researchers were able to identify Netflix users - along with their political leanings and sexual orientation. Oops.

The second part of the lawsuit seeks to prevent the launch of the next contest. Living proof that stupidity is a life long problem (and corporations can live a long time), Netflix wants to provide more "anonymized" data this time. And that data will include zip code, age, and gender. When you combine that with the movie ratings and ID numbers it will be more than enough data to ID Netflix customers. Again.

The bad thing about all of this...well, one of the bad things, is that it has been obvious for years that the traditional 'scrubbing' of data is no longer adequate for anonymizing. Mark Dixon looks into the history of re-identifying data and sees that if data continues to be handled the way it is now, every time any company releases anonymized data they are releasing re-identifiable data.

Unless you are a very unusual individual, that should scare the bejeezus out of you.

Saturday, December 19, 2009

Catching phish

Phishing - the art of crafting a bogus email in such a way that significant numbers of people will click on links inside it, even when they should know the email did not come from the person or group it claims to represent.

First, lets take a look at the information you see when you first glance at the email:

The simple things to look for
The simple things to look for

This one is actually pretty obvious. I've never worked for Schlumberger or belonged to their employee credit union (they do have one), so I can safely assume I have no account data to verify. But if that wasn't enough, looking at the actual 'from' address. The email is supposedly from Schlumberger, but the email address is Unlikely to be an address used by Schlumberger. Additionally, the 'to' address isn't my address, but

That's all good in a case like this, but what if it's not so obvious? Phishers can forge links, 'to' and 'from' headers, and even the golden 'security lock' that's supposed to tell you when you're connected to a secure site. What if you get emails claiming to be from eBay, or PayPal that don't seem right, but look really good? There are a couple of rules to go by in a situation like that:

First, if they are asking you to click a link to verify an account, they are probably bogus.

Second, never click a link in an email that is asking you to verify anything. Look the companies number up and call them or look up their website in a search engine, but don't use the links or any other contact information given in an email.

Third, if you do click on a link, check the URL in your browser. If you were going to Paypal and get you're probably on a bogus site.

I hope this was helpful. Remember, if they want you to provide information via email or a link from email, be wary.

Friday, December 18, 2009

Privacy Rx: Never answer "account verification" emails

A few days ago a doctor at the University of California San Francisco School of Medicine was tricked into giving his email account information. His email account contained some personal data about patients. How was he tricked? The email was designed to look like an official university email. So the first thing to do is put a strong policy in place that the university will never ask for account information through email. Then make sure that everyone knows this.

Well this is a short blurb today, but tomorrow we will go over a phishing email and see how you can detect one.

Who's watching the watchers? The Insurgents.

The Wall Street Journal broke the story. It turns out that high tech comes pretty cheap. Insurgents in Iraq are monitoring some of the data feeds from the U.S. Predator drones using satellite dishes and the $25.95 "Skygrabber" software. Skygrabber was designed to access satellite signals and download data - supposedly legally. Turns out it does a pretty good job of stealing Predator drone data feeds, too.

What confuses me is that the drone feeds are not encrypted. I know military intelligence is supposed to be an oxymoron, but even if interception is unlikely you have to expect it to happen and take steps to either prevent it or make the intercepted data worthless. By strong encryption, for example. So this statement boggles my mind:
The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn't know how to exploit it, the officials said.

Ok. You've known about this for more than 10 years, but assumed that the local yokels could not, and would never be able to figure out how to capture your streaming data. Now that's "military intelligence."

To be fair, adding encryption isn't like installing some software, and there are concerns that encryption might cause difficulties in rapid interpretation of the feed data, and in sharing data between services. And that's enough fairness. They've known about the vulnerability for 10+ years, and not only have you not fixed it in the current drone model, it's still part of the design in the new model that is about to go into production. I can see the difficulties of modifying the current design, but to not put encryption on the new model boggles the mind. Hopefully, now that we know people are accessing the drone feeds the new drones will be updated to have encryption.

Thursday, December 17, 2009

rockyou stoned, Facebook infiltrated

Social networking addon site is the latest victim of datatheft. The hacker posted about it on his blog after getting ticked because rockyou was lying about the amount of data that had been stolen. But the worst part was that the usernames and passwords – all 32.5+ million of them – were in plaintext. And there were also logins to 3rd party sites because rockyou allows users to create content for sites like MySpace and Facebook. Judging from the comments the hacker makes, Myspace and other sites may have similar insane security practices. I looked at the rockyou site as soon as I heard about it, and there was a short, one paragraph message to users about the "minor" breach. A few minutes ago I went back and the link - worded the same as before - was several paragraphs and 1 1/2 to 2 pages long. It started with:
Our users' privacy and data security have always been a priority for RockYou and we strive to keep them secure. Our users have confidence in our services and we will continue to ensure that confidence is deserved.

Sounds very nice and up-front. And I suppose it is the truth, since it only addresses the services, not the security of the services. Historically, rockyou has been a lot more concerned with talking about how concerned they are with privacy and security than they have been with actually providing it.  In September of 2008 they embarrassed and outraged hundreds of companies that produce Facebook apps by cc'ing them all on an email. They were very apologetic:
On the behalf of RockYou, I want to apologize to all of our publishers for the slip. While it was unintended, it was a material mistake. We take privacy of all our partners very seriously and have reviewed and corrected the process that enabled this. We continue to work hard to maximize results but its apparent we will also need to work even harder to regain and maintain trust. For those of you affected, please email me directly with any questions, issues or concerns. My email is (ro at – yes, i’m willing to share in the pain).

Very nice, and very full of bovine excrement. They did the same thing on November 25th of 2008, and again in Januarly 2009.

As if it's not bad enough to have one of the companies heavily involved with Facebook apps proving that, while ignorance is curable, stupidity is a life long problem, Facebook is being besieged by a new variant of the Koobface worm. Hopefully by now (it was announced a week ago) all of the anti-virus vendors have updated their definitions - if yours hasn't, get a different A/V package. Hopefully all Facebook users have up to date anti-virus. Yeah, right. I'll believe that when I hit the lotto 3 weeks running.

The important details are that the virus is spread by placing a "Christmas video" on your wall. When you click on the video it loads "koobface.GK" and installs it. Then it pops up a captcha for you to solve. It won't go away until you solve the captcha, even if you shutdown and restart. The captcha is actually the last step in creating a new Facebook account, which proceeds to spread the worm.

By their nature Facebook, Myspace, LinkedIn, etc. are high risk, dangerous places. They encourage blind trust in the site, and in other users. Unfortunately that trust plays right into the hands of the bad guys. It is best to put as litte information about yourself as possible and treat links on your wall the way you would treat links in email from people you don't know. Don't "Friend" with someone just because they know someone you do, and use as few apps as possible so you don't sell your friends out. Social networks are fun and a great way to stay in touch with old friends, but like a bazarr in Baghdad, it pays to keep your guard up while you're there.

Wednesday, December 16, 2009

Data Breach Bill passes House

HR221, the Data Accountability and Trust Act, passed in the House December 8th and was referred to the Senate on the 9th. The bill requires security policies for consumer information, regulates the information broker industry, and establishes a national breach notification law.

This bit of news got lost in the face of Facebook changes and Google CEO pronouncements. It deserves more attention, and after I've read more about it I will come back to it. Since the bill is going to the Senate, now would be a good time to contact your senator and provide your thoughts on data breach notification.

Tuesday, December 15, 2009

Google CEO scoffs at privacy

Last week, just days after announcing Google Public DNS and raising the question of how much do we really want Google to know about our web activity, Google CEO Eric Schmidt gave us the answer in an interview on CNBC. The answer is, as little as possible. When the CEO of Google basically says, "you have no privacy, get over it" it's time to let him know that it does matter. I'm not too impressed by the way he used the Patriot Act to justify it, either.

Asa Dotzler, Mozilla's chief of community development feels the same way. In his blog he tells people to add Bing to Firefox. You know if Mozilla, one of the opponents Microsoft couldn't quite kill, is suggesting a Microsoft product they have serious concerns. The add-on he links to is here. He also says that the Bing privacy policy is better than Googles, but I don't really see a whole lot of difference on a quick read of both.

I'm sure I'll keep using Google search, if only because I use multiple search engines already. The webs a big place, and most search engines hit spots that others don't - even if it only shows up 4 or 5 pages down - yes, I often go that far down in search results.

The truth is, as much as I don't like Mr. Schmidt's attitude toward privacy, until someone comes up with a new way to do search that out-googles Google, you can't afford to ignore it. But you can let them know what you think about it and hurt they're bottom line by using other search engines more.

Monday, December 14, 2009

Guess who wants to copy Facebook

In a report on (requires registering for free account) we are told that Facebooks new privacy model is a good beginning for the online records for the healthcare industry. And as mixed a bag as the new policy is, they may be right.

Facebook still needs to do some work - how much depends on who you talk to - before their privacy settings will pass muster with most privacy advocates and many users. But the concepts behind them address issues that the medical industry has been saying could not be done. That is, huge numbers of accounts can have individualized settings. With the living proof that Facebook has provided, we may see hospitals and insurance companies providing online records similar to the offerings provided by Google and Microsoft, but with the information entered for you by your health providers. And those providers have more (and more binding) reason to protect your data.

Sunday, December 13, 2009

Facebook's new privacy settings not popular

In my very quick overview of Facebooks new privacy policies I said that overall the changes looked good. I still believe that, but some things that weren't obvious in that quick look shows that it's not all good. While there were some good things done in Facebooks new privacy settings, some things that used to be configurable aren't anymore, and people are complaining. Whether privacy advocates such as the EFF or individual users commenting directly to Facebook, there is definitely a feeling that, while some of the changes are good, some things, especially the transition tool that pops up the first time you log into Facebook after the new settings were implemented, are aimed more at removing privacy than improving it. The transition tool, if it were really meant to improve privacy, should take you through each of the settings and explain what they do so you can make an informed decision. It should at least preserve your old privacy settings. But it doesn't. It selects Facebooks "recommended settings" which happen to be to share everything with the world, or at least that portion of the world that has Internet access. It does give you the option of keeping your old settings, but you have to consciously make the decision and click the selection for each setting, which is exactly backwards of the way it should be.

There are a couple of other options (or lack of options) that are cause for concern. You used to be able to hide things like your hometown and your birthday, but now the only way to hide them is to remove them from your profile. It also used to be possible to tell Facebook not to share information with Facebook apps. That option is no longer available, so now when one of your friends starts playing a game like Mafia Wars it can suck not only their information, but yours, too. That means, of course, that anytime you use a Facebook app you could be giving up all the information of everyone you have on your Friends list. So while overall the changes may have been good, the fact that you can compromise yourself and your friends by loading a facebook app is unforgivable. To make matters worse, the new privacy policy seems to be full of doublespeak that removes privacy assurances while appearing to give them.

I encourage you to go to Facebooks site governance page and tell them you don't approve the removal of privacy option and demand that we be given control of all of our information. Insist that the defaults should err on the side of privacy, not full disclosure. The ACLU also has a petition going to get the privacy settings changed. i would recommend signing it, as well.

Saturday, December 12, 2009

Google Public DNS - Is it worth it?

On December 3rd Google announced their newest service, and potentially the most troubling, privacy wise. Google Public DNS is supposed to be optimized to provide a better DNS service than your ISP can. You might wonder how Google could do that, and why we should - or should not - use Google DNS.

First, it helps to understand what DNS is. DNS stands for Doman Name Service, and is the reason we are able to remember to type instead of having to remember  Sites on the internet are actually mapped by IP number. Since groups of 12 numbers can be hard to remember, the Domain Name Service, aka DNS was devised. DNS takes the easy to remember and connects it to the real IP address of The web wouldn't work nearly as well without DNS. With it, if I don't know a companies web address, I can make a few guesses and probably figure it out. If I had to guess an actual IP address, I'd probably die before I got it right.

The reason this is a privacy issue is that while Google knows an incredible amount about us already because of our searches, they only know what we search for and what we links we click in the results. If you make Google Public DNS your DNS provider, they know everything you do on the web. Every site you go to, every file you download, every streaming video you watch. It will all pass through Google. Google claims they are not going to share that information except in aggregate - meaning statistical groupings, ie males between the ages of 18 and 25 are more likely to go to than females between the ages of 40 and 50. Given the ad earning potential of such information, I'm not surprised Google is getting into the DNS business. With a world wide presence Google would be instant king of the information world. Well, Google is already king so I guess the next step up would be promotion to emperor.

I know that Googles stated reason to run DNS servers is to improve everyones internet experience, but does that really hold water? If you select the Google as your DNS provider you have to go through your ISP's servers before you can reach Googles, plus however many hops there are between you ISP and Google servers. Plus your speed getting to Google servers will be affected by the condition, settings and traffic on all of the servers between you and Google. I doubt you'll see much improvement over your ISP's servers. Of course, since the differences will be measured in a few milliseconds, even if Googles DNS is faster, I doubt you'll be able to tell. Is that worth turning every single bit of data your web surfing generates over to Google? I don't think so.

Friday, December 11, 2009

The Transportation (in)Security Administration

The Transportation Security Administration (TSA) is the agency in charge of airport security nationwide. It seems that they posted their procedure manual online by accident. The document was redacted, but despite the many previous incidents involving supposedly redacted* documents, the manual was poorly redacted - the redactor just drew boxes over the sensitive data instead of selecting and deleting it. It was only a matter of hours before the un-redacted document was available online.

According to the TSA the information in that was posted is old and the manual was never even made available to TSA staff. But there was a lot of sensitive information in that document. From the easily duplicated ID cards for various agencies (Including CIA) to information on the x-ray machines that could be used to find a way to fool them, there is plenty there to put anyone on their guard.

The TSA seems to be poo-pooing the incident. That's understandable, if annoying. You can't reveal any more about how weak your defences are than the bad guys already have. But this is a serious breach of national security. Using this document it is possible that another group of terrorists could come into the US using fake documents that would wisk them through airport security with little or no security checks. It might make it possible for weapons to be smuggled onto planes in carry-on luggage. It may not be the worst threat to national security we've ever seen, but it's not a good one. Fortunately this breach has caught the attention of congressional leaders and others, so whatever error caused the manual to be posted may be found and cleared, and steps put in place to find and prevent similar errors in the future.

*redacted - sensitive information removed prior to release

[edited @ 9:56am because there's no reason for most people to know what 'redacted' means - Bert]

Thursday, December 10, 2009

Taming the Facebook Beast, pt 3

For some reason I thought the changes to Facebooks privacy settings took place last week. Then tonight I logged on and was hit with the notice the privacy settings have changed. The good news is, nothing much is changed as far as what you may have already set, and anything you've done already is still there. And if you want to change anything, it's now all available in one place, a place we've seen before:

[caption id="attachment_230" align="alignnone" width="214" caption="First, go to Settings-Privacy"]First, go to Settings-Privacy[/caption]

Once you click on "Privacy" things look a little different:

[caption id="attachment_274" align="alignnone" width="586" caption="Facebooks new consolidated privacy page"]Facebooks new consolidated privacy page[/caption]

Today we're going to go over the new interface, and finish our Facebook tutorial in the process. That's made possible because now everything is accessed in one spot, and all of the settings are controlled in almost exactly the same way. There's no need to relearn how to do anything we've already gone over, only where it's at. The first group of settings is the Profile Page, which we'll take in two parts because my screen isn't large enough to get the whole page at once :)

[caption id="attachment_281" align="alignnone" width="600" caption="Top portion of the new Profile privacy page"]Top portion of the new Profile privacy page[/caption]

[caption id="attachment_291" align="alignnone" width="600" caption="Bottom portion of the new profile privacy page"]Bottom portion of the new profile privacy page[/caption]

You can see that the controls are more specific, giving you more options for controlling what is viewable by whom. The privacy pull down menus are the same as before. But the "Custom" option is greatly simplified.

[caption id="attachment_284" align="alignnone" width="502" caption="It's easy to setup multiple exclusions"]It's easy to setup multiple exclusions[/caption]

There are two privacy settings that are different from the others on the Profile privacy page. The first is the "Photo Albums" setting. Clicking on "Edit Settings" brings up the album privacy page. Both the album privacy page and the custom privacy settings are the same as before:

[caption id="attachment_300" align="alignnone" width="600" caption="The album privacy settings haven't changed"]The album privacy settings haven't changed[/caption]

The second is the "Allow Friends to post on my wall" setting. It is either on or off. To me this is the setting that most needs to be configurable. Sure, if someone insists on posting annoying things on my wall I can unfriend them, but I want to leave that as a last resort. I want to be the same configurable interface I use to say who can see my birthday.

The next option is the "Contact Information" and it handles things like phone numbers and IM info:

[caption id="attachment_334" align="alignnone" width="600" caption="Control who can see your email address, IM, etc."]Control who can see your email address, IM, etc.[/caption]

The privacy pull down menus work exactly the same as on the Profile privacy page.

After the contact information comes the "Application and Website" privacy section:

[caption id="attachment_309" align="alignnone" width="602" caption="The privacy settings for Applications and Web pages"]The privacy settings for Applications and Web pages[/caption]

The first selection, "What you share" is just an overview of how sharing works in Facebook. The second section, "What your friends can share about you" is a series of checkboxes:

[caption id="attachment_311" align="alignnone" width="627" caption="Uncheck anything you don't want your friends to share about you."]Uncheck anything you don't want your friends to share about you.[/caption]

You can be as wide open or as close mouthed as you want to be, which is a good thing. The next section is blocked applications - the Facebook help says to go to the applications about page, but I haven't found a link to an about on any application I use, so I can't tell you much about blocking apps. It's something I'll be looking into in the next week or so.

Search is the next setting:

[caption id="attachment_317" align="alignnone" width="601" caption="Simple and clear."]Simple and clear.[/caption]

Exactly as it used to be, to keep from being submitted to Google and other search engines, make sure that "Public Search Results" is NOT checked.

Notice the request for a password. I have been gone from my computer for hours with Facebook up and nothing locked. Now after a short time of inactivity you have to give your password to get back into Facebook. That is another good change in the way Facebook does things.

And our last stop on our whirlwind tour of the new Facebook privacy policies is the people blocker:

[caption id="attachment_322" align="alignnone" width="580" caption="Block people by name or email address"]Block people by name or email address[/caption]

Very simple, just enter the name or email of the person you want to block. And that concludes our basic overview of securing yourself on Facebook.

This new strategy of putting more options in the main windows and simplifying the settings custom windows has made the privacy interface cleaner, easier to navigate, and more intuitive. It's a major improvement, and hopefully one that will encourage people to make use of the privacy settings.

Wednesday, December 9, 2009

Taming Facebook: pause for update

I've had an extremely long day (it's 2am) and haven't even looked at Facebook settings. But I do have some additional information to give you regarding photos on facebook.

When you set your privacy settings for tagging photos you can prevent others from tagging you in photos, but you cannot keep them from downloading your photos from your profile, and you can't keep them from posting photos of you. All you can do is keep them from tagging you in the photo. So even if you only let your friends see a photo, nothing prevents them from downloading it and posting it on their own Facebook page. Of course, if you spend much time with them they probably already have plenty of photos you woudn't want the world to see.

I will work on some more Facebook privacy settings for tomorrow and finish either tomorrow or Friday.

Tuesday, December 8, 2009

Taming the Facebook Beast pt 2

In part one we listed 10 things you can control on Facebook:

1. Configurable friend lists
2. Ability to remove yourself from Facebook search
3. Remove yourself from Google
4. Avoid photo/video tags
5. Protect your albums
6. Prevent stories from showing up in your news feeds
7. Control Application published stories.
8. Make contact information private
9. Avoid embarrassing wall posts
10. Keep friendships private

We briefly went over 1-3. Today we're going to look at 4 and 5, and maybe 6 if I'm fast enough.

4. Controlling photo and video tags.
a. Go to Settings-Privacy
[caption id="attachment_230" align="alignnone" width="214" caption="First, go to Settings-Privacy"]First, go to Settings-Privacy[/caption]

b. Go to Profile

c. There you will see the privacy page. Go to the second group of 3 pull down menus.[caption id="attachment_238" align="alignnone" width="550" caption="Go to the second group of three pull down menus"]Go to the second group of three pull down menus[/caption]

d. On "Photos tagged of you" select "Customize".
[caption id="attachment_240" align="alignnone" width="531" caption="Select \"Customize\""]Select "Customize"[/caption]

e. The Customize box is similar to the one for your Basic and Profile data, but there are a few differences. I've tried illustrate a little of what can be done. Note: If a friend is in two Friend Lists, he will be given the most restrictive access between the two. So if he belongs to "Family" and "Know from Work" he will not be able to see any photo that "Know from Work" isn't allowed to see, even if "Family" is.
[caption id="attachment_244" align="alignnone" width="410" caption="Enter the Friends you want to see tagged images"]Enter the Friends you want to see tagged images[/caption]

5. Protect your albums
a. For some reason this privacy setting is not with the others. That may change soon.
[caption id="attachment_249" align="alignnone" width="497" caption="Follow the numbers for privacy settings"]Follow the numbers for privacy settings[/caption]

b. The options for the next two screen shots are the same as the methods for limiting access to posts and photos, so I'm just going to show them without comment. If anyone has any questions, feel free to ask.
[caption id="attachment_251" align="alignnone" width="477" caption="Access options for photo albums"]Access options for photo albums[/caption]


Tomorrow a few more Facebook privacy settings.

Monday, December 7, 2009

Taming the Facebook Beast pt. 1

Facebook has a number of tools to help you control who has access to the information you put up on your pages. They include:

1. Configurable friend lists
2. Ability to remove yourself from Facebook search
3. Remove yourself from Google
4. Avoid photo/video tags
5. Protect your albums
6. Prevent stories from showing up in your news feeds
7. Control Application published stories.
8. Make contact information private
9. Avoid embarrassing wall posts
10. Keep friendships private

Let's look at these in a little more detail:

1. Configurable friend lists
Friend lists allow you to put your friends into groups according to your own preference. You can group your friends by how you know them (work, church, social group, etc.) and then set what you want each group to see. The steps to limiting what a list see are:

a. Go to the Settings Menu and select "Privacy Settings"
[caption id="attachment_199" align="alignnone" width="214" caption="Go to Settings-Privacy Settings"]Go to Settings-Privacy Settings[/caption]

b. Select "Profile"
[caption id="attachment_213" align="alignnone" width="376" caption="Select Profile"]Select Profile[/caption]

c. Select the pull down menu next to the type of info you want to limit access to, then "Customize"
[caption id="attachment_205" align="alignnone" width="270" caption="Select the data type: Customize"]Select the data type: Customize[/caption]

d. In the Custom dialog set who you want to see your info, and set any friend or list you want to keep from seeing it in the "except these people" field.
[caption id="attachment_208" align="alignnone" width="405" caption="Use the custom dialog to limit access"]Use the custom dialog to limit access[/caption]

2 & 3. Remove yourself from Facebook and Google search.
It's important to note that if you don't tell Facebook you don't want to be listed in Google searches shortly after signing up for Facebook, you will be listed on Google. But once you choose not to be in Google search you will gradually sink down in the listings. Of course, if people search for your name, even being low down the listings may still have you on the first page. To tell Facebook not to release your information to Google:

a. Go to Settings-Privacy Settings again.

b. Select Search
[caption id="attachment_215" align="alignnone" width="376" caption="Select Search"]Select Search[/caption]

c. Choose who you want to be able to find you and what they can see.

d. If you have "Everyone" selected in the "Search Visibility" field, you will also have the option to allow your profile to appear in Google searches. If you don't want to appear on Google, uncheck the box.

That should be enough to swallow for one day. We'll cover 4 & 5 tomorrow - Wednesday if I'm too strapped for time. There will be some type of post Tuesday either way.

Sunday, December 6, 2009

Is privacy dead?

According to CNN, we have reached "The End of Privacy" and Andrea Dimaio of Gartner tells us privacy is "an illusion." This is a sentiment I've seen expressed more and more often the last few years. I think this belief comes from a misunderstanding of what privacy is. Privacy is not being hidden. The best definition I've seen for privacy, what I consider privacy, is from the terms of service of According to them, privacy is:

The quality or condition of being free from unsanctioned intrusion. Person should be sure that the personal information provided will not be used in any other purposes then those the user needs.

Whether or not they abide by that definition I couldn't say, but I like it. Bob Blakely of the Burton Group identity blog has a different, but related, take on privacy. In his entry, "Gartner Gets Privacy Dead Wrong" he tells us that privacy does not equal secrecy. As long as you don't tell anyone your information, you don't have a privacy problem. Once you tell information to someone, then you have a privacy problem.

That makes a lot of sense. Privacy doesn't involve keeping things secret, but controlling who accesses them, and how. I like that idea, and it dovetails nicely with the emailmarketingpro definition. One of the problems with social networks is that people surrender too much control over their information. Well it turns out that it doesn't have to be that way, and Facebook is putting more safeguards in place for people to use to give them even more control over who sees their information. The trick is getting users to use the controls.

I can't make people use them, but I can make the information readily available. Over the next few days I'll be looking at some of the ways you can control your information on Facebook. Nothing can protect you completely, but the first step to greater security is controlling how others access your data.

Saturday, December 5, 2009

Just a quick one

I haven't verified this, but in the "privacy taken too far" department: In Germany privacy laws are so strict that German universities cannot reveal who they have given degrees to. Now that's privacy taken to a ridiculous level!

In the "deserves more attention, but I'm short on time department" we have Congress declaring hearings because two wannabe reality show stars manage to sneak into a state dinner - two people who are not unknown in Washington circles, from what I've seen - a week after the event. A month after 13 people are killed and many more injured in the Fort Hood (terrorist) attack they're still putting a hearing off. I don't understand.

Friday, December 4, 2009

NSA: Still listening with Presidential approval

Not much time tonight, but I have to comment on a report from OpEdNews on NSA wiretapping. It seems that Obama is as enthusiastic about the program as George Bush was. Why couldn't their area of agreement have been that he US is the greatest country on earth? This practice kicks the teeth out of the fourth amendemnt:

Amendment IV

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

It really is important that we let our elected representatives know that we will not stand for this. Every freedom we let go, every right we let them take away, is one step closer to letting them take away all our freedoms and all our rights. I can't say it any better than James Madison:

I believe there are more instances of the abridgement of freedom of the people by gradual and silent encroachments by those in power than by violent and sudden usurpations.

Thursday, December 3, 2009

Facebook not necessary for self incrimination

I'd like some input on this one. I honestly can't decide how I feel about this. Somehow I wound up at and a headline caught my eye. "Post a vulgar comment, lose your job" it said.

It seems a teacher made an anonymous comment on the local papers website responding to the question, "What's the craziest thing you've ever eaten?" He responded with a word occasionally found before the word cat.

Apparently being the impatient type he couldn't wait to get home and posted his anonymous response from the school. Then when it was deleted he reposted. The editor of the paper either noticed the post was made from the school, and contacted them to report that someone from the school was posting lewd comments. The school was able to determine who made the post and when confronted he resigned or was fired.

This was clearly an overreaction by the paper. When they asked for the craziest thing you've eaten, they had to know someone was going to post that response. When it appeared again they shouldn't have been surprised. Frankly, I think being stupid enough to ask that question warrants some type of disciplinary action.

On the other hand, what kind of idiot posts obscenities from work? Twice. Even anonymously, you risk someone noticing as you post it.

What do you think? Should the editor have contacted the school? Should the guy have been fired?

And remember kiddies, there is no such thing as anonymity online. If they want to bad enough, there is almost always a way to find out who you are.

[Edited for better title]

Tuesday, December 1, 2009

The fallacy of "crime prevention" cameras

In the last few years there has been a lot of reporting about cities and even countries (England) putting a great deal of trust in the idea that cameras in public areas will deter crime. I don't believe the evidence supports that idea. Here in Lubbock data indicated that on intersections with red light cameras, accidents increased, which was the opposite of the desired effect.

In Dallas they have had cameras for a while. It's interesting to take a look at 3 snapshots in time:

March 21, 2008 - Dallas News reports that cameras placed around the Dallas area have reduced crime. Among items reported as also having an effect in some areas are increased police presence and active neighborhood watch. For some reason their effect on crime is barely acknowledged.

April 27, 2009 - the Grit for Breakfast blog looks at the reported improvement in crime statistics and reveals that while crime was down 11% in camera monitored areas, it was down 18.7% in the rest of Dallas. The author wonders whether a decrease in one areas crime is really a decrease if the rest of the city decreases more. He also points out that Dallas recently changed it's crime reporting policy, and the effect of that has not been factored in.

December 1, 2009 - cbs11tv reports that the cameras have been ineffective deterring crime. In one area the cameras were placed in crime actually increased - and none of the crime was caught on camera.

Crime cameras are not tools of a legitimate republic. They are the tools of totalitarian regimes and serve best as a means to monitor law abiding citizens, not criminals. Criminals will figure out where the cameras are and make sure not to expose themselves. Law abiding citizens will become the monitored while criminals go around the not-so-deterrent.

Health, the web, and HIPAA

One of the more exciting (or frightening) developing trends on the web is the push to keep your health records online. The government is encouraging doctors, hospitals and other medical institutions to do this for the ultimate in health records portability. This is made more difficult by HIPAA, which makes those same groups responsible for the security of your health records. The end result is that the government is sending mixed messages, and smart money is on keeping the records offline if you're a medical provider.

Enter two companies not exactly renown for their respect of privacy: Microsoft and Google. Google Health and Microsoft's Healthvault allow you to put your medical records, prescriptions, shot records, etc online and share them with your pharmacy and various healthcare providers. This sounds like a really good idea. It makes your records readily available for new doctors and makes it easy for you to share with a trusted family member or friend. Here is a short examination of both services.

First we'll look at Google Health. From the page you go to on that link:

Take charge of your health information

It's safe, secure and free

* Organize your health information all in one place
* Gather your medical records from doctors, hospitals, and pharmacies
* Share your information securely with a family member, doctors or caregivers

Google stores your information securely and privately, but you always control how it's used. We will never sell your data. You are in control. You choose what you want to share and what you want to keep private. View our privacy policy to learn more.

The privacy policy looks pretty good, but under the "How Google uses your information" section, #3 states:

Google will use aggregate data to publish trend statistics and associations. For example, Google might publish trend data similar to what is published in Google Trends. None of this data can be used to personally identify an individual.

I don't like my data being shared even "in aggregate." It's supposed to just be information like "x number of persons making between 45,000 and 100,000 a year are members." But I'm paranoid, especially about my health data. That is data that can be very damaging in the wrong hands.

The "Sharing your information" section is encouraging. The first thing they do after telling you that you can share information, see a list of who you are sharing it with, and revoke the right of someone on the list to see your information is to warn you that they may still have a copy of it, even if they can't access it to get new information. Now if only people would actually read the policy it would save some headaches later.

One encouraging thing about Google's offering is that it complies with Safe Harbor guidelines. By the nature of their business Google is not the worlds biggest privacy watchdog, but they appear to understand the importance of privacy when it comes to health records.

Now for a look at Microsoft Healthvault:

HealthVault lets you …

* Organize your health information, with everything in one place
* Simplify your life: enter health info once, use it in many ways
* Gain insight with data that helps you make informed decisions

Microsoft Healthvault is HONCode and Truste certified. Health On the Net was founded in 1995 and "promotes and guides the deployment of useful and reliable online health information, and its appropriate and efficient use." You can verify Healthvaults certification here, but right now they are actually undergoing annual review. It comforts me that they are reviewed annually.

The Healthvault privacy policy is longer and wordier than Google Health's but says essentially the same thing. Your data will only be released in aggregate, except for the people you release your own info to.

The question that burned in my brain when I heard about this was, "What about HIPAA? How can this be legal?"

Actually, because neither business is a medical provider, they fall through the cracks of HIPAA. They are providing a service to the consumer and have no affiliations with hospitals or doctors. So they can do things a doctor or hospital would not be able to do when it comes to your data. You might want to think about that before joining either of these services. But despite what looks like a service I would avoid at first glance, I would recommend either of these for someone who has medical conditions that require multiple specialists. My experience is that there usually isn't as much communication between doctors as you would expect. But they have to give you your records if you ask, and putting the records in a service like this means you can make sure every doctor has access to everything going on. These services don't remove control of your information from you, they give you control you've never before had of your healthcare. That is a good thing.

[Edited 7:40am to add to last paragraph]

Sunday, November 29, 2009

Incriminating yourself, Internet style

Ah, the joys of social networks. Sharing your favorite activities, legal and not so legal, with family, friends and the police.

Yes, the police.

It seems that law enforcement has been unusually ready to embrace change when it comes to social networks like Facebook. Frankly, I'm glad they have. They catch sexual predators using chat and social networking sites. Very good thing. They also catch under age drinkers, particularly stupid drug dealers, and various other criminals (advice: posing for pictures with the loot you stole is not smart).

In the Lacrosse, WI Times this weekend I read about officers browsing Facebook to catch underage drinkers. College students post pictures on Facebook, officer sees picture, profile tells the story, and student gets an invitation to the police station where they get a ticket which they can pay or fight. The practice is not popular with students:

“I feel like it is shady police work and a waste of taxpayer money to have him (an officer) sit on the computer on Facebook when he could actually be doing police work,” said Luebker.

Uhm, dude, that cop sitting on the computer just busted you. That would be "doing police work. " You incriminated yourself by putting the evidence up on a public forum. It may seem like I have something against Facebook, but I will continue to talk about this the public nature of social networking as long as I see frequent quotes like this one:

“I feel like it is a breach of privacy,” Stenholt said. “You feel like you should be able to trust cops.”

Despite their best efforts to claim otherwise, Facebook provides no privacy. If it did, you wouldn't see quotes like that practically every day.

[Edited by Bert @ 6:52am for clarity and 12:27pm to provide link I thought was already done]

The scam-happiest time of the year

With cyber-Monday tomorrow, and the ever-increasing number of people doing their Christmas shopping online, McAfee - the security software company - has provided a list of the twelve most common ways holiday cybercriminals scam the rest of us. Here they are:

1. Charity Phishing. It is more blessed to give than to recieve, but before you give, make sure the people receiving it are who you think they are.

2. Fake Invoices from Delivery Services. It is very difficult to ship COD these days, so unless cousin Joe from Jersey told you he was shipping you something that way, don't pay without calling the shipping company - from the number in the phone-book. And if you don't remember sending it, don't pay for it without double-checking.

3. Social Networking. Scammers send legit looking “friend requests” that contain links designed to infect your computer. However tempting it might be to have one more friend than your boss, don’t open links from “friends” you’ve never heard of.

4. Holiday eCards. Everyone loves a nice holiday card. What you should know, however, is that some of the most destructive holiday viruses have been attached to fake eCards. Never open eCards from unknown senders. Frankly, I'd think twice before opening an eCard from someone I knew without making sure they'd actually sent it first.

5. Luxury Jewelry. Man, you can find some incredible bargains online. And scammers take full advantage of that fact by offering even more incredible deals than you can usually find during the holidays. Of course, the deals they offer get you an empty wallet and maybe a cheap (disgustingly obviously cheap) piece of costume jewelry if you're lucky.

6. Online Identity Theft. I love shopping online. Quick, easy and convenient. But always make sure you're shopping a reputable site, and never shop from Starbucks - or at least never purchase - while at Starbucks, the library, or other public wifi locations. It's surprisingly easy to access other computers over an open wireless network.

7. Christmas Carol Lyrics. If you don't already know that ring-tone and mp3 download sites can be a hotbed for malware, you do now. Before downloading anything from one of these sites make sure they are legit. If they are offering the latest Taylor Swift ringtones for free, run away.

8. Work from Home. Beware of e-mails that offer jobs you haven’t applied for or work at home “opportunities.” After they steal your info and a setup fee, you’ll be right back where you started with a few extra headaches.

9. Auction Site Fraud. Internet scammers will post unbelievable deals in hopes of getting an unlucky bidder to bite. That 50" LCD TV for $299 "Buy it Now" will either never arrive or it will arrive in pieces, or as a 13" black & white CRT television.

10. Password Stealing. Change your password often. People can look over your shoulder, from the table next to you, or even using cell phone cameras to record you type.

11. E-mail Banking Scams. Beware of any e-mail that asks for your banking information. I don't know of a bank that will ask for you for your information via email. If I find one that does, I will post it here and give it tell you to avoid it.

12. Ransom Scams. If hackers gain access to your computer through any of the means listed in this article, they may demand a ransom to get your computer back in working condition. They won't call it that, of course. They will say that they are selling you the means to remove what the malware you downloaded.

Facebook: Waiving Miranda & the Fifth

Friday, November 27, 2009

For privacy, keep your face off Facebook

In an opinion piece on Carmi Levy tells us, briefly, the story of Facebook user Natalie Blanchard, a woman who was on long term disability leave from IBM for depression. After a year and a half of receiving benefits from IBM Canada's insurer, the checks suddenly stopped coming. Why? Because the insurance company checks things like Facebook accounts, and despite her account being set to "private" were able to find pictures of her looking decidedly un-depressed. Was miss Blanchard committing fraud? Is she the victim of an overzealous investigator looking at a few snapshots in time that don't reflect her overall state of emotional well-being? I don't know. I do know that if she had followed a simple - in theory, not so simple in practice - rule of online life she would not be having this problem. The rule? Don't put anything on line that you wouldn't want your mother/wife/children/boss/insurance investigator to see. And if you have to put it online, don't put it on Myspace, Facebook, or any other 'social' networking site. It's in the name, folks. By definition, social networking is anathema to privacy. Everything you put on Facebook will make it into the wider wild web. Count on it!

Some people have a right to know

A letter on points out that there are some persons who should be given automatic access to health records. Spouses should always have access to each others records. Parents should, once their children are old enough, have either a living will or a signed power of attorney granting one or all of their children access to their medical records. Everyone should prepare for the worst case scenario - should you be incapacitated, who takes care of you and your affairs? Living wills and medical/financial/total power of attorney specify the answers to those questions. Don't make them lightly, and make sure you really trust the peolple you are giving such power to, but if at all possible, have these documents on file with an attorney and/or your doctor.

So much for a 'light weight' rest of the week. :)

Thursday, November 26, 2009

Just 'cause you work in a hospital...

Just last week I wondered how many healtcare workers didn't know they were affected by HIPAA. Apparently 16 workers at Ben Taub General, part of the Harris County Hospital District, didn't. The hospital district hasn't given specifics, but anonymous sources say they were looking up a 1st year resident who was shot in a robbery. One of the dismissed workers said, "I helped a doctor locate a patient/friend and that's it!”

The point these now unemployed workers missed is that no one not involved in the care of the patient is allowed to access those records without express permission of either the patient or the patients representative. This is the kind of breach that doesn't necessarily need public disclosure, but the patient needs to be notified. And the rest of the workers need a refresher in HIPAA, with a strong emphasis put on not accessing accounts you are not involved with and using the proper channels to access those you are. I don't want to allow any practice that could cause workers to relax their guard about using the proper channels to access patient records - even their own.

Which brings up another point. A comment on an earlier post said that current regulations require a report if a hospital employee looks up their own record. Hospital policy might require that - and it should at least require a refresher in proper policy - but other than going outside of protocol, looking at your own record is not a breach of HIPAA.

Wednesday, November 25, 2009

Circle the wagons

It's a wild web out there. Largely unmapped with outlaws lurking in every shadow, it's been said that an unprotected computer will be compromised within 15 seconds, but that is probably an exaggeration. A USA Today study done in 2004 - very old by Internet standards - found that unprotected computers were compromised in minutes. It hasn't gotten better in the last five years. It used to be safe to stay on the 'main path,' but that's no longer true.

We're going to go over a few simple things you can do to protect yourself when you venture out into the outlaw known as the Internet:

1. Get a firewall. Most modern operating systems such as Windows (XP and up), MacOS X and Linux all come with a firewall, and it is usually on by default - but check it. That firewall is good, but it is even better to get a hardware firewall. If you have a router, you probably have a firewall. If you don't, getting one is as simple as going to your favorite electronic store (Best Buy, Wal-Mart, etc) and buying a router. Most router default settings leave something to be desired, but that's a post for another day. Usually the manual is on a CD in the box and has instructions for turning on security features. The actual method will vary with manufacturer and sometimes even different models from the same manufacturer will have different ways of doing things.

2. Create strong passwords. strong passwords use letters, numbers and special characters. Pass phrases are even better. They can be easier to remember and harder to guess or crack. But "ILoveMyWife" isn't much better than "Lenore!@". No, my wife's name isn't Lenore. Here are some password creation tools:

  • Windows: Atory Password Generator Freeware password generator that creates passwords as secure and as long as you want.

  • MacOS: Make-a-Pass A Dashboard Widget that creates passwords as secure and as long as you want.

3. Save your passwords, either in your browser or in a password manager. For many years wise men (and women) said not to allow your browser to save your login info because if someone compromised your browser got on your computer (with or without your permission) they had your password. While that is still a concern the increase in trojan keyloggers makes that the lesser of two evils. If you don't hit the keys, a keylogger can't log them, and on home computers getting a keylogger is often the greater threat.

4. Keep up to date anti-virus and anti-spyware. Today it isnt' unusual for a big name site to be compromised and spreading malware, so surfing unprotected is a bad idea. My favorite anti-virus programs are avast! Home Edition and AVG Free. For anti-spyware I use Spybot S&D and Adaware.

5. DON'T CLICK THAT LINK! Be careful where you go. I went for years without Anti-virus on my PC. My firewall provided all the protection I needed. Then a guest started coming by and using the computer. He went to Java game sites and picked up 2 or 3 bugs every day. So I had to get anti-virus to protect my network from him. You can't count on any site being safe, but why go to high risk sites?

That's enough for today. The rest of the week will probably be pretty light weight, but we'll get into a few more of the basic ways you can protect yourself next week.

[updated at 7:20am for clarity and additional information and at 2:00pm 11/26 because I reread it and it didn't say what I meant to say]

Tuesday, November 24, 2009

Every little thing you do...

One of the more exciting trends in social networking is the ability to use software on your phone or iPod to report your location to your favorite social network account so your friends can see where you are. Personally I don't think it's a good idea, but I'm into protecting privacy. I do think people are not thinking enough about what they are revealing about themselves as they surf the web, and now they're making it easy for the obsessive, the stalker, the thief to track them down. Last spring a reporter tracked a women using the positioning data that was being posted by her phone at set intervals - he never met her and did not know her, but was able to see where she went and even view what he thought was her apartment through a webcam - and he knew the location of the apartment because it was fed through her cell phone. He didn't even have to dig, she was giving it all up voluntarily. Imagine if he had been a serial criminal of any sort. She was handing herself to him.

I was reading two articles, one in the Examiner about the nifty things that are so useful, but potentially so invasive to our privacy, and one at TechCrunch that talked about attaching your location to your Twitter, Facebook or MySpace account. Both point out that as we move to an online society it will become harder and harder to keep anything to ourselves. And most of us apparently don't understand that we are giving it up voluntarily. From students at Oxford to teachers in North Carolina screaming "invasion of privacy" because they got in trouble for pictures and statements on their Facebook pages, it is becoming more an more obvious that the average person online does not realize that once it's online it is out, and it can't be put away again. Is the answer stricter privacy controls? Is it tighter oversight of the social networks? I don't believe it's either. I believe it's education. Children and adults need to learn to keep some things private. They need to know that, while it might be neat to have your whereabouts posted where your friends can see them, unless you can make sure that only your friends see them, it can be painting a target on your back.

Tomorrow we'll start looking at ways to make that target a little harder to see.

Monday, November 23, 2009

ACTA Mattah, You!

The Anti-Counterfeiting Trade Agreement is a treaty-in-progress between the United States, the European Community, Switzerland, Japan, Australia, the Republic of Korea, New Zealand, Mexico, Jordan, Morocco, Singapore, the United Arab Emirates and Canada. Nothing has been ratified as yet, and because it is a "trade agreement" there has been almost no disclosure about what it contains. Leaked documents are quite frightening, however. There appears to be a "Three Strikes" rule on the table. The three strikes rule would require that any home accused of accessing or providing pirated works would lose internet access for a year. In entry on the Center for Democracy and Technology blog, "We Are Not Amused" we see that the Queen of England has voiced her approval of such a rule for the UK. According to Britains Department for Business Innovations and Skills (download PDF), apparently the cutting off of internet access would include any type of communication that accesses the web:
"although we continue to regard the uptake and use of Internet services as essential to a digital Britain, we are considering the case for adding suspension of accounts into the list of measures that could be imposed. This does not necessarily mean that suspension would be used - this step would obviously be a very serious sanction as it would affect all members of a household equally, and might disrupt access to other communications, so it should be regarded as very much a last resort."

This is in reference to Britain's Digital Economy Bill. If you're interested, it's Chapter 10 - the amendment to Britains Communications Act of 2003. I'd have provided a direct link, but it wouldn't save in the blog. This type of law has been passed by other countries such as France, and is being looked at by the European Union, independent of ACTA. In some versions, including ACTA, the suspension occurs if you have been accused three times. Convictions are not required.

That is just one of the problems with ACTA. The only review is by the negotiators and lobbying groups - groups that have pushed such anti-consumer legislation as the DMCA. Recently a small number of others have been allowed to see the proposed ACTA document, but only after an approved application and signing a non-disclosure agreement. Why is secrecy for this document so important? Consider:

One of the proposed regulations makes ISP's responsible for the content provided by their customers - contrary to US legal precedent.

Will treat "technical protective measure" (TPM) infringements differently (presumably more severely) than "general infringements". TPM is what we commonly refer to as Digital Rights Management (DRM) in the US.

There will be no requirement for hardware manufacturers to ensure interoperability of TPM's. Imagine having to have a player for each major studio - one for Disney, one for Paramount, one for Dreamworks, etc.

Not part of the agreement, but part of the way trade agreements work - if ACTA is signed by the US Trade Representative (USTR) it is binding. The US will have to enforce it as law, without congress (our representatives) having any say in the matter. The RIAA, MPAA and their foreign counterparts have found a way to get around the laws of their respective countries.

This is something that we really need to jump on and speak to our representatives. We need to demand that they demand the ACTA negotiations be opened up to public scrutiny.

To contact your senator (if you don't already have the info):

Your Representatives:
Enter your zip code in the box in the upper left and click on "go".

Sunday, November 22, 2009

Cash, anyone?

BBC News reports that ANYONE who has used a credit card in Spain may have had their credit card data stolen. Apparently the company that verifies cards in Spain may have been part of the scam. Why would a legitimate company take part in identity theft? Identity theft is big business. Apparently big enough to tempt a legitimate company to commit fraud.

You can steal my cash, but once you spend it, that's all you've got.

Saturday, November 21, 2009

6 Months to report?!!!

The Chicago Tribune reports that Health Net lost a portable, external hard drive with data on 1.5 million customers dating back to 2002. The loss was reported to the Connecticut Attorney Generals office Wednesday. The drive was lost SIX MONTHS AGO!!!

And they were keeping patient data on a portable hard drive? Apparently unencrypted? If that's not a violation of some type, it should be.

Despite some legitimate concerns about absolute notification, is it any wonder I don't want the hospitals and insurance companies deciding what and when they should report?

Friday, November 20, 2009

Who will watch the hen house?

In an article Thursday, the Huffington Post went to some length to examine the tug-o-war occurring between the health industry (hospitals and insurance companies) and privacy/security advocates. The health industry wants a federal rule on health data breach notification to contain a "harm threshold" that says how many records are breached, or how much harm is done by the breach before notification is required. The reason there was anything to argue about is a piece of legislation crafted to encourage the move to electronic medical records. The article doesn't mention the bill by name, or any of it's authors, but apparently the original bill did not specify just how much data had to be mishandled before notification was required - and that is the same as saying ANY lost data meant notification was necessary. The HC industry lobbied the Department of Health and Human Services to add a "harm threshold" because if one bill went to the wrong address, that patient would have to be notified. Such stringent requirements scare hospital administrators and health insurers: "Such a requirement, they say, not only would be costly but also would overwhelm consumers and make them less likely to notice when a real problem occurred."

How many mistakes do they make every month? It sounds to me like hard-nosed notification requirements are overdue. Strict requirements with real consequences for failure to comply will force healthcare providers and insurers to fully train their employees in the regulations and give them the tools to do it right. If they are making so many mistakes right now that being required to send notifications of any mishandled data would overwhelm me with notifications there is a big problem. I don't trust the health care industry to police themselves and notify people any sooner than they absolutely have to. I think it's time to contact our congressman and tell them we want notification. The easiest way to contact your senator (if you don't already have the info):

Your Representatives:
Enter your zip code in the box in the upper left and click on "go".

Thursday, November 19, 2009

Healthcare workers not hip to HIPAA

According to the Modern Healthcare website, a significant number of healthcare employees don't know that they are subject to HIPAA regulations. It's apparently a failure to communicate. The American Recovery and Reinvestment Act of 2009 extended who has to comply to HIPAA regulations, but as many as 50%+ of newly affected workers failed to get the memo. I'd be less concerned if I didn't wonder how many of the employees who were already affected by HIPAA haven't got the memo yet.

England has had it's worst consumer data breach in a while courtesy of a Verizon T-Mobile employee who sold customer info. Hey Verizon T-Mobile, I want better controls over my data! Can you hear me now?

[Edited @ 1:57pm because apparently I have subconscious issues with Verizon]

Tuesday, November 17, 2009

National Security vs. Personal Freedom

Watching C-Span this morning (or late last night) I saw the House Republicans Press Conference on the Fort Hood Shooting. Rep. Peter Hoekstra was asking for a look into the failings in the processes that failed to prevent the shootings at Fort Hood. and stated that congress needs to have their own investigation NOW. Peter King decried the lack of communication between intelligence agencies and the military - a failing that was supposed to be taken care of long ago. All well and good. Then Mike Rogers spoke.

Rep. Mike Rogers of Michigan stated that tools and procedures that have worked for intelligence agencies in the past have been prohibited and are therefore no longer available. He believed those tools needed to be made available again. Mr. Hoekstra agreed, but refused to elaborate on what those tools might be.

I have to wonder what those tools are. The Patriot Act greatly expanded surveillance ability of federal agencies. The federal government illegally tapped virtually every phone in America and congress rewrote the law so the telecoms who aided and abetted the atrocious invasion of privacy could not be sued or held criminally accountable for their actions.

Rep. Mac Thornberry responded to reporters questions about "why the rush to take action" by pointing out that 2 provisions of the Patriot Act will lapse at the end of December, and immediate action is needed both to learn the lessons about what went wrong and fix it, and because the families of the victims at Fort Hood and the American people as a whole deserve to know that their government is doing everything it can to prevent tragedies like Fort Hood and to prove the importance of extending pieces of the Patriot Act as they reach their end of life.

The amazing thing about all of the comments was the obvious blinders the Representatives have when it comes to intelligence failures that led to Fort Hood. Indeed, the more news stories I read about Major Hasan the more it looks like 9/11 in miniature. The number of red flag items that are being bandied about in the media seem to indicate Major Hasan should have been taken out of circulation long ago. The reason he was not appears to be (but appearances can deceive) a breakdown of communications, whether between agencies or internally in specific agencies.

There were many things that made 9/11 possible. Among them were lack of communication between agencies and even departments within agencies. Another was the sheer volume of information being gathered. In the Fort Hood shootings the similarity is that there was apparently a wealth of information. Apparently the FBI was aware that Major Hasan was communicating with someone in Pakistan. Apparently he was involved in money transfers to Pakistan. The person he was contacting, Anwar al-Awlaki, was an imam who has been implicated in terrorist attacks, but never arrested.

Atrocities like the 9/11 attacks and the Fort Hood shootings are used to justify, even demand, increased erosion of personal liberty in the name of greater security. More surveillance powers will make us safer, is the claim. But both 9/11 and Fort Hood could have been prevented without granting intelligence agencies more tools and greater power to spy on citizens. Simply paying attention to the warning signs instead of waving them away, presumably because Major Hasan has been a good citizen and soldier, could have made all the difference.

This was a bit farther away from obvious personal security than I intended for today, but this is an issue that I believe is very important. Security is important. But I believe Benjamin Franklin knew what he was talking about when he said, "Any society that would give up a little liberty to gain a little security will deserve neither and lose both."

[edited @ 8:25 am to correct 3am grammar and spelling errors]

In the beginning

There were only two people, plus God and the angels (good and bad), and privacy wasn’t much of a concern. As time passed that changed. People began to expect to be able to keep some things to themselves, and for most of history were able to with varying degrees of success. More time passed, and technologies (such as the telescope) were invented that allowed others to see things that you might think were known only to you. Still more time passed, and people are now able to expose themselves almost completely to the world at large while maintaining the illusion (some would say delusion) of privacy.

My purpose here is to make you aware of how you are exposing yourself by keeping an eye on things that affect privacy and security, whether it is personal privacy or national security. So at times I will dabble in politics, and possibly even religion, but mostly I will be keeping an eye on technologies effect (real and potential) on privacy and security, and on any legislation, court cases, or government actions that impact privacy and security. I will also be giving advice on limiting your exposure and protecting yourself from the bad guys, and hopefully entertaining you while doing it. That’s all for now.