Is protecting businesses deposits the banks responsibility?

Originally published on 06/08/2011 on reports that a court magistrate has recommended that a motion for jury trial be denied in the case of Patco Construction Company, Inc v People's United Bank dba as Ocean Bank. This is another case that demonstrates the lower level of protection afforded business bank accounts than consumer accounts. If you never plan on opening a business that may not seem important to you, but if the company you're working for goes under because it's bank provided inadequate protection to business accounts it will be come very important

This case is similar in some ways to the case of Plains Capital v Hillary, which I followed pretty closely at the time. But there are differences. As far as I know no one ever figured out how the bad guys got the credentials from Hillary Machinery. The ZeuS trojan was allegedly the source of the compromise at Patco, and that is actually good evidence that the banks security was inadequate.

But the magistrate doesn't disagree that the security was inadequate. What he does disagree with is that it was the banks responsibility to have better security to protect it's customers data. He believes that the bank provided multi-factor authentication as recommended by the banking industry. Let's take a quick look at that. Multi-factor authentication is usually considered to require at least two out of three factors:

• Something you know (like a password)
• Something you have (like a cryptocard)
• Something you are (like a fingerprint)

Krebs on Security reported on the recommended decision and noted that Patco tried to instruct the court on the state of multi-factor authentication today, but with little or no luck. They informed the court that trojans like ZeuS can negate the benefit of cryptocards, but apparently that was not good enough for the magistrate. Unless Patco appeals a decision based on his recommendation they will be out $300,000 that couldn't be recovered.

Consumers have a lot of legal protections when it comes to their money in the bank. Large businesses sheer size is their protection. But small and medium sized businesses have little or no legal protection. The Federal Financial Institutions Examination Council (FFEIC) was about to release updated guidelines last year, but didn't. It's criminal that there is no better guidance for banks on protecting ALL customers money, and something needs to be done. The someone doing it should not be the courts.

RIAA pushes anti "login sharing" legislation in Tennessee, hopes others follow

Originally published on 06/06/2011 on lubbockonline.com

Sheila Burke and Lucas L. Johnson II report in the Tennessean that Tennessee has passed legislation making it illegal to share logins to "entertainment subscription services." The article focuses on Netflix logins, but it covers any kind of entertainment subscription login - whatever that means.

According to the article Recording Industry Association of America (RIAA) pushed for this bill, which makes the big focus of all the news stories - Netflix - all the stranger. The RIAA's concern would primarily be music services like Rhapsody, but the law does cover anything that could be called an "entertainment subscription service." Netflix qualifies, and sharing of logins in college dorms and by 'services' selling logins could be a problem. But is this really a big problem, or is this another case of an industry with a failing old business model looking for any excuse to explain it's problems other than the fact that old business models are changing, and businesses that won't change will fail?

The question is, how long will they be able to push legislation to prop their old, failing business model up, and how much damage will they do in that time?

Security vs Privacy: It's not what you think it is, part 2"

Originally published 06/06/2011 on lubbockonline.com

Last week I told you about Daniel J. Solov, the author of "Nothing to Hide: The False Tradeoff Between Privacy and Security" and his article, "Why 'security' keeps winning out over privacy," on salon.com about the bogus reasons security trumps privacy every time the two come into conflict. We looked at the first two mistaken arguments in his article last Wednesday.Today we'll look at the last three. Eventually we may look at the wider list of faulty security vs privacy arguments, but these will do for now.

The next argument we will look at is the "Pendulum argument." This is the idea that in times of heightened risk we should blindly allow privacy concerns to fall to the wayside because when things calm down the pendulum will swing the other way and privacy will be reinstated. The problem is, when risk is low, there isn't a great deal of demand to violate privacy for security, so the need to protect privacy isn't as great. In times of heightened risk the desire to be safe makes us less likely to question measures that supposedly increase our protection. So we get measures that sound good, but really do little. Solove mentions the Japanese interment in World War II and the "Red Scare" of the Mcarthy Era." Our problem is a little more hidden, though no more subtle. The ongoing monitoring of as close to every landline phone in the U.S. as possible (that's pretty close). In 2003 the Census Bureau gave the Department of Homeland Security the cities and zip codes of Arab Americans - supposedly to help decide what airports needed signs in Arabic. The implementation of full body scanners and gropedowns at airports to prevent bombings. These are just a few examples of actions taken to improve security that did little for security but cut deeply into privacy and liberty.

The War Powers argument looks good at first glance. It's the job of the President to lead our nations in time of war, and nothing should hamper his ability to do that. The NSA wiretapping is justified because, even though it violates the Foriegn Intelligence Surveillance Act (FISA), the the Presidents ability to lead our country in times of war is more important than any law. The implication is that there is nothing the president can't do if we are at war. He can put citizens in concentration camps, ignore Consititutionally garaunteed rights, and have people pulled from their houses and shot without explanation if he is doing it under "War Powers."

Last, we have the Luddite Argument. The Luddite argument says that if you're not willing to embrace technology you're holding security back through fear and ignorance. But the truth is, often these technologies haven't been vetted properly, and may not be ready for prime time. The anti-bomb "puffers" put into service to protect us from bombs are a prime example. But Mr. Solove's example of biometrics is a very good and timely example:

 

To see the problems with the Luddite argument, let’s look at biometrics. Biometric identification allows people to be identified by their physical characteristics -- fingerprint, eye pattern, voice and so on. The technology has a lot of promise, but there is a problem, one I call the "Titanic phenomenon." The Titanic was thought to be unsinkable, so it lacked adequate lifeboats. If biometric data ever got lost, we could be in a Titanic-like situation -- people’s permanent physical characteristics could be in the hands of criminals, and people could never reclaim their identities. Biometric identification depends on information about people’s characteristics being stored in a database. And we hear case after case of businesses and government agencies that suffer data security breaches.

 

He goes on to point out that if someone steals your SS# you can replace it. Making sure you understand all the implications of using biometrics before ditching our current system is wisdom, not ludditism.

There are a number of arguments used to 'prove' security is more important that privacy, and that privacy is a danger to security. The truth is that there are few situations where privacy and liberty are incompatible with security. But to some government officials and law enforcement the idea of privacy is synonomous with chaos. We can't let them have the last word on security and privacy policies.

Facebook Friday

Originally published 06/03/2011 on lubbockonline.com

Poachers shouldn't advertise

An AP story story in the Miami Herald tells us of the perils of being a poacher on Facebook. Darin Lee Waldo learned the hard way that Facebook is not the place to brag about your poaching. Or the anywhere on the internet. Especially when the people you're trading photos with are investigators with the Florida Fish and Wildlife Commission.

Of course, Darin wasn't just bragging about his poaching. He was a felon in illegal possession of a firearm bragging about his poaching on Facebook and inviting government agents on poaching trips. I'm sure he came from a long line of criminal masterminds.

Fireman suing for Facebook firing

Capecodtoday.com reports that former fireman Richard Doherty is suing the town of Bourne, MA for wrongful firing. The city says he broke department policy by posting derogatory remarks about members of the fire and police departments and the leadership. Doherty says he was just doing normal venting like employees do. He may have just been venting, but venting on Facebook isn't like venting to your wife, or with your buddies, as Mr. Doherty found out.

Facebook can be fun, it can be useful, but it can also be the knife you hold to your own throat. Be careful what you do with it.

New Mac Malware on Facebook, New Mac Defender bypasses Apple fix

Originally posted 06/02/2011 on lubbockonline.com

It's been a busy couple of days in the malware world.

New Mac and PC malware reported on Facebook

F-Secure reported "a significant malware" affecting both Mac's and PC's circulating on Facebook, then reported that Facebook finally blocked it. I'm not sure how significant it really was - by the time I checked the Openbook link in F-Secures initial post there were only two examples of the bogus links popping up, and the good folks at F-Secure couldn't manage to get infected by it even though they were trying. But if you should see messages or updates with the following subjects, don't click on the links:

 

 

At 17:00 GMT the attack changed subject line to:

one more stolen home porn video ;) Rihanna and Hayden Panettiere and…

Rihanna And Hayden Panettiere !!! Private Lesbian HOT Sex Tape stolen from home archive of Rihanna! Hot Lesbian Video - Rihanna And Hayden Panettiere !!

 

Apple in escalating war with Mac Defender?

On Tuesday, 05-31-11 Apple released Security Update 2011-003 for Mac OS X 10.6.7 and Mac OS X 10.6.7 Server. The update warns users when they download a known variant of Mac Defender and scrubs the malware from systems that have already been infected. It also has a daily update function to download definitions of new Mac Defender variants (and presumably other malware that may pop up).

It's a good thing Apple had the foresight to make their fix upgradeable. On Wednesday, 06-01-11 a new variant of Mac Defender that bypasses the Apple fix appeared. I'm sure that by the time you read this, or no later than Friday, 06-03-11 an update will take care of the new variant, and a day or so later a 'fixed' Mac Defender will appear to bypass Apple's update. And so on, and so on, and so on. That's not a knock on Apple, it's just the way these things work. The attacked company, in this case Apple, cannot ignore the malware, and the malware authors aren't going to let Apple beat them. Not for a while, anyway.

I'm glad Apple has built a fix for the latest version of OS X, but I wonder if Mac Defender runs on earlier versions. Not just earlier versions of Snow Leopard, but Leopard and Tiger, too. There are a lot of people still using them, but Apple's just leaving them in the cold. Hopefully Apple will release a version for Leopard, at least.

Security vs privacy - it's not what you think it is.

Originally published 06/01/2011 on lubbockonline.com

Daniel J. Solove is the author of "Nothing to Hide: The False Tradeoff Between Privacy and Security." Yesterday (May 31,2011) he published an article, "Why 'security' keeps winning out over privacy," on salon.com about the bogus reasons security trumps privacy every time the two come into conflict.

According to Solove, the arguments used to win security over privacy are flawed, and he examines a few of those arguments to show how. We'll look at a couple today and a couple tomorrow:

• The all or nothing fallacy - this fallacy says that you have to go all the way, or do nothing at all. He uses the example of surveillance, "In polls, people are asked whether the government should conduct surveillance if it will help in catching terrorists." Of course people say yes, the question implys that we are unprotected and saying "no" means leaving ourselves exposed to terrorist attack. The government already has the right to conduct surveillance, but must follow certain rules. As Solove puts it:

   

  We shouldn’t ask: "Do you want the government to engage in surveillance?" Instead, we should ask: "Do you want the government to engage in surveillance without a warrant or probable cause?"

   

  The former question pretends protecting privacy requires a complete loss of security. We weren't without protection before 9/11, and the protection isn't that much better now despite the increased "security" forced upon us.

• The deference argument says courts should defer to the executive branch in security matters. But it is the courts job to be a check on the executive, examining what the executive does and making sure that it does to secure us is actually worth the trade-off. A simple, basic example is the TSA body scanners and patdowns. Will they even stop a slightly determined bomber? Probably not. A policy of deference by the courts means that our civil liberties are trampled on for no reason and the people who are supposed to gaurd them are looking the other way.

That's just two of the many arguments used to trump privacy for security. Tomorrow we'll look at two more.

The bad guys are phoning for access

Originally posted 05/31/2011 on lubbockonline.com

Jason Halstead of the Winnipeg Sun reports that a woman in Winnipeg, Canada was almost a victim of an unusual blended attack on her computer.

61-year-old Val Christopherson answered her phone and a man told her he was from an online security company that was receiving error messages from her computer. He claimed to want to fix her problem over the phone and convinced her to go to a site called Teamviewer.com and let him connect to her computer. Then he tried to sell her antivirus software and let him install it. That was when she got suspicious and hung up.

Ms. Christopherson was smart. When the man called back she hung up on him again, then unplugged her computer and contacted her ISP and bank to reset her security credentials and let them know her computer might have been breached. Letting herself be talked into letting an unknown person to connect remotely to her computer was a lapse, but perhaps an understandable one. As often as we warn against clicking on strange links and ok'ing popups, we never warn about letting strangers access your computer, either in person or remotely. A computer attack initiated by calling the prospective victim is, in the case of private individuals, extremely rare, so no one warns about that type of attack.

So if you get a phone call from someone asking you to give them access to your computer, tell them no. If they are from your ISP or the company you get your anti-virus from, tell them you'll call them back and hang up. Then use the number from the phonebook or the internet to call them and find out if they had been trying to contact you. Don't ever trust an anonymous phone caller with access to your computer.

Happy Memorial day

Originally published 05/30/2011 on lubbockonline.com

Let's all remember between the barbecues, kite flying and trips to the lake to spend a few moments to honor the memory of those who have given everything so that we can enjoy the freedoms we have. And tomorrow let's continue to honor them by making sure those freedoms, so ably defended with the sword, are not lost by the pen.

Facebook Friday: Sex offender busted for surfing at Apple store

Originally published 05/27/2011 on lubbockonline.com

Bob Cuddy of the San Luis Obispo Tribune reports that a known sex offender, Robert Nicholis McGuire was arrested at the San Luis Obispo Apple Store for violating his probation. In a perfect example of going to the wrong place at the right time, Mr. McGuire was recognized by sherrif deputies as he went into the Apple Store. He proceeded to log into Facebook on a display computer. A deputy went to the computer next to McGuire's. According to the SLO Sherrif's department press release:

San Luis Obispo County Sheriff's detectives, including the Sexual Assault Felony Enforcement (SAFE) team spotted a known sex offender in downtown San Luis Obispo on Wed afternoon. One of the SAFE team detectives recognized the man from a previous child pornography case. As one detective followed the man, another checked the probation terms of the registered sex offender. They followed the man to the Apple store on Higuera St. where he entered and began to log on to the internet from a display computer. Another detective went to the computer next to the man and logged on to the Megan’s law website. At about the same time the probation term information was received that clearly indicated McGuire was prohibited from using the internet. McGuire had logged on to his Facebook page. McGuire was taken into custody without incident after he left the store. McGuire made a statement to detectives that he thought he was being followed after the man standing next to him logged onto the Megan's Law site. McGuire is being held without bail at the San Luis Obispo County Jail.

Obviously Mr. McGuire is a "mind your own business" kind of guy. Otherwise he would have noticed someone logging onto the California Megan's Law sex offender tracking website on the computer next to him. He would have noticed that it was the private law enforcement version with full info about sex offenders, not the limited info public version. He probably would have not opened a web browser or closed it if it was open. But he didn't notice, and he did open a web browser and log onto Facebook, and now one more predator is off the streets thanks to his own stupidity.

New MacDefender variant doesn't ask for admin password to install

Originally posted 05/26/2011 on lubbockonline.com

If you use Safari, go to Safari-Preferences and select the General tab. Uncheck open safe files option (see image). If you surf the web in your admin account, create a normal user account and start using it. There is a new variant of Mac Defender that doesn't require an admin password to install if you are logged into an admin account. If you wind up at one of the bogus download sites, are logged in as admin and have "Open Safe Files" selected, it will install without asking your permission. Most people in the Mac community still use the default account setup when they first started their Mac. That is an admin account.

MacGuard is still a relatively low risk piece of Malware. Intego is rating it as a medium threat, but it's hard to say if that's an over or underestimate. It is a step up the threat scale from MacDefender. It won't just affect naive users who say ok to any dialog that pops up. No dialog will pop up to ok.

It might be too early to say that if you run a Mac you need to run anti-virus, but if you're starting to get antsi about it, Sophos' free version of it's Mac anti-virus protects against Mac Defender and I'm sure will be quickly updated to protect against MacGuard. And there are always the paid version from Sophos as well as Symantec, Avast, and others.

This is not the end of the Mac experience as we know it, but it is the end of telling people there is no malware on the Mac. The good news for now is, all you have to do protect yourself is do your everyday computing in a non-admin account and make sure you know what it is you're okaying before you click the blue button. And turning off the "open safe files" option in Safari wouldn't hurt.

The velvet glove of martial law?

On Friday, March 16th President Obama continued the breakdown of the Bill of Rights started with the Patriot Act in 2001. That is the opinion of much of the Internet, and a quick read of Executive Order -- National Defense Resources Preparedness seems to confirm it. But such things seldom occur in a vacuum, and this is no exception. The text is basically an update of executive orders going back to 1950, including EO's by Bill Clinton and George W. Bush.

I haven't read the full order, but I've read enough of it to know that I could easily, if I wanted to, write a long, point by point blog on the potential dangers of each section. The language would be easy to use for fearmongering. But the fact is, to take any one section of the economy under complete government control would require not just an executive order, but a clear and present danger of a type I'm not sure anyone could have been convinced existed even immediately after September 11, 2001. To create true martial law over the entire country would be far more difficult. It could probably be done, but it would probably require more resources than are available without pulling troops home from foreign posts - assuming the troops would go along with it.

The reality is that any competent entity, public or private, will have disaster preparedness documents. That's what this executive order does. It spells out who is in charge of what in the event of natural or manmade disasters. It makes some changes to take recent developments into account, but does very little to significantly change what was done by earlier presidents.

Like any other leader, President Obama has done plenty of things to disagree with and fight about. This just isn't one of them.

Even Apple had to admit it: Mac Defender is real malware for the Mac.

Originally published 05/25/2011 at lubbockonline.com

 

Mac now has real malware. First announced May 2nd by Intego, it's similar to numerous fake anti-virus and anti-malware programs on the Windows side. As far as danger, it's a standard scam to get your credit card number and other identifying information. Unlike some other trojan software it doesn't do anything to your computer or the data on it.

 

Apple spent 3 weeks seemingly ignoring the problem, but on Monday they added a knowledgebase article on avoiding or removing the malware. They are also preparing an OS update that will explicitly warn if a user downloads Mac Defender or one of it's variants. They haven't said what versions of Mac OS will be getting the update, but hopefully they will cover all the affected OS's, not just OS X 10.5 and 10.6.

Warning a user that they're downloading malware is all well and good, but as time goes on and the list of malware grows that could become pretty unwieldy. Hopefully now that there is a piece of malware for OS X that is real, widespread, and effective at what it does Apple will pay more attention to the reality that, like all other software, OS X is not bulletproof and needs serious attention paid to security.

Originally posted 05/24/2011 on lubbockonline.com

Rebecca Boyle at Popsci.com reports that the federal government will announce next month that all cars must have a black box. Yes, a black box like airplanes carry.

Rebecca tells us that a lot of cars already do, but there is no standard for how they work, what they record, or how to access it. That may be a good thing, since even now they record more than we probably realize. According to the article:

General Motors can find out plenty of information about your driving habits, as Autopia explains, like whether you used your turn signal and whether you buckled your seat belt. GM can use this information to build better safety systems, but it can conceivably be used by insurance companies, too, when determining how to pay claims or assign fault. Or it could be used by legal authorities to prove guilt or negligence.

I'm not really sure what I think about this. Most of the objections I have are already applicable to cell phones. Speaking of cell phones, she also points out that in the future the black box may record if you were distracted by your cell phone right before an accident. I don't know why she assumes that is a future development, especially if you have a car with bluetooth for connecting to your cell phone.

The one concern I have for this the potential for tracking abuse. We already have agencies trying to put trackers on cars without a warrant. How much harder would it be to protect us from unwarranted tracking if the ability was built into the car? Who knows what kind of tracking is already being done on cars with Onstar and similar systems?

Fingerprinting from a distance

Originally published 05/23/2011 on lubbockonline.com

Last January Sandra Swanson reported at Technology Review that Advanced Optical Systems (AOS) has designed a fingerprint reader that works from up to six feet away. This could be a big boon to security, and a great boost to identity theft, too. The techology as reported wasn't quite ready for either duty, but was expected to be by sometime in April and is called the "Airprint".

I tried to find more recent reports, but the only article I could find was an article in the May INC. that was so short and generic it was probably taken from the original Technology Review article. I tried to go to the AOS website, but it wasn't responding to queries. So I don't know if the company is still around, although I expect it is. AOS has been arounnd since 1988 and there were no reports if it shutting down or going bankrupt.

The Airprint isn't quite ready for prime time ID theft, being two large to easily conceal. But that will change. The units will get smaller, scan faster, and scan farther. Change the 'light source' to infra-red or ultra-violet and the chance of being detected by the victim is very low. A commenter on the original story noted that the technique would probably work for the raised characters on credit cards, too. Fortunately, my primary card is entirely printed, so it's safe from this scanner. But if someone can get one or more fingerprints and you credit card info, they've got access to a lot more than I'd want them to have.

US CERT warns against Mississippi disaster scams

Originally posted 05/18/2011 on lubbockonline.com

The U.S.Computer Emergency Readiness Team (CERT) reports that scammers are exploiting the flooding in Mississippi, sending out emails claiming to be from relief organizations. To help us protect ourselves from that, and from some of the other scams floating around the internet they provide links to informative web pages and PDF's:

 

• Do not follow or open unsolicited web links or attachments in email messages.
  Maintain up-to-date antivirus software.
• Review the Recognizing Fake Antivirus document for additional information on recognizing fake antivirus.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for additional information on social engineering attacks.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for additional information on avoiding email scams.
• Review the Federal Trade Commission's Charity Checklist.
• Verify the legitimacy of the email by contacting the organization directly through a trusted contact number. Trusted contact information can be found on the Better Business Bureau National Charity Report Index.*

 

Whenever a disaster occurs anywhere the scammers come out in force, but with good information and a little thought you can safely donate online with confidence that your money will be used the way you intended.

*Information from US-CERT

Did you miss Playstation Network?

Originally posted 05/16/2011 on lubbockonline.com

I've been remiss in not reporting the Sony Playstation Network breach and outage. The network started going back up this weekend. Ok, yesterday.

You might wonder why I would seemingly ignore one of the largest data breaches ever. Part of it was waiting to see what came out. Part of it was that if you were active on the PSN you were probably already more aware of the situation and following it closer than I had time to. But now there's more information, and I might actually be able to tell you a few things you don't know about a breach like this. Sadly, it won't be good news

Joshua Grech of the Daily Telegraph reports that the PSN started coming back up sometime Sunday, although it may take a few days for everything to be available again. He also reports that Sony is going to offer a "Welcome Back" package of software and content to encourage people to stay with Sony and Playstation (or come back if they've bought an Xbox during the outage). As part of the increased security in the system users will have to change passwords when they log back in, and will have to prove they are the account holder to do it. When announcing the return to service Sony Group CEO Kazuo Hirai had one of the best non-apologies I've seen:

"I wish I could tell you that technology is available to completely protect any company against cyber attack. "But unfortunately the threat of cyber crime and data theft will continue to plague networks, companies, government agencies and consumers around the world for some time to come."

Translation: "Sorry, people. It's not our fault. We can't prevent it and neither can anybody else, now and forever."

It's true that there is no perfect protection against bad guys, online or in the real world, the disturbing thing is how hard it is to track a truly skilled attacker online. Bianca Bosker at the Huffingtong post looks at just how hard it can be. A truly skilled attacker will use botnets, spoofed IP addresses and spoofed MAC addresses as well as multiple hops through computers - some under the control of the attacker, some not, but all used to obscure the origin of the attack.

When a breach is discovered there are steps taken to find out what happened. What those steps are varies from company to company, but one of the first is to check the system logs:

Once a company discovers its network has been breached, investigators will usually first comb the server’s log files, which record all traffic to and from the server including attempts to access the network or extract information from it. Reviewing these records -- the digital equivalent of watching security camera footage -- offers a look at any suspicious communication with a company’s network and where it may have originated.

Unfortunately, though logs are one of the best tools for seeing what happened on the server, skillful attackers can easily negate them by editing all evidence of their activities out. By doing that they could keep an attack from being noticed for weeks, months, or even years. Unlike theft in the real world, theft online leaves the original on the server. Removing the logs entirely would tip off the systems administrators that something happened. Editing the logs removes the evidence that something unusual has happened while leaving all records of normal activity in place.

Sony has gotten a lot of bad publicity for having the PSN down for so long, and are being sued for the breach. We don't know what kind security they had in place. I would be tempted to say that it obviously wasn't adequate, but the truth is, no one has adequte security. Sony's real failure was in the handling of the breach. Instead of being open and informative they were secretive and withheld important information in the hopes of controlling the damage. They did the same thing when they loaded rootkits on CD's, and I imagine they'll do the same thing the next time they have an event like this. Because breaches like this will happen it makes no sense to hide when they happen. The thing to do is have policies and procedures in place that cover breaches and provide for the rapid dissemination of information to the people affected, law enforcement and the media. That doesn't mean to tell everything, but each of those groups should receive the appropriate information.

Every company should have every possible protection in place, but must admit that they are not immune to breaches and prepare for that eventuality. It's the only responsible thing for them to do.

Is looking at thumbnails of porn grounds for firing?

Originally published 05/13/2011 on lubbockonline.com

David Kravets of Wired's Threat Level blog reports that a high school biology teacher was fired for studying too much of it on school computers.

When I first read the headline and that the teacher had gotten some "not safe for work" (nsfw) images when searching for "blonde" and been fired because of it, I thought he had gotten a raw deal. Then I read more of the story and learned that he was an idiot. Or thought he was clever and outsmarted himself.

Robert Zellner may have counted on claiming retaliation if he was fired. What he didn't count on is monitoring software put on his computer because his computer had unusual problems. So when he disengaged the schools browsing filters, typed "blonde" into google images and spent a little over a minute looking at pornographic thumbnails the school had complete records.

He may have thought that the fact he only skimmed through pages of porngraphic thumbnails without clicking on any links would save him - he could claim he was looking for something else. But the monitoring software showed that he disabled the porn filters, meaning he wanted to find something he knew the filters would block. Two pages of porn thumbnails made it pretty clear what that was.

It really didn't matter what popped up in the search once he turned off the web filter. Disabling it was probably grounds for firing. But when porn popped up and he didn't instantly close the window, he signed his pink slip.

Will Facebook ever get privacy right?

Originally published 05/12/2011 on lubbockonline.com

Nishant Yoshi reported on Symantec's official blog that third party Facebook applications have had accidental access to much more of Facebook users info and pages than anyone knew:

Third parties, in particular advertisers, have accidentally had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information. Fortunately, these third-parties may not have realized their ability to access this information. We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue.

Symantec's researchers estimate that over 100,000 apps may be leaking data. Over 600,000,000 people have Facebook accounts. Because of an oversight, 100,000 third parties, both known and unknown, may have had access to their information, no matter how tightly they had controlled the privacy settings. The only saving grace of this news is that few, if any, of those third parties may have realized the treasure they were sitting on.

Facebook has to start taking privacy more seriously. But they never will if users don't demand it because the Facebook business model is to get as many users as possible and encourage them to put as much data as possible, as openly as possible, on the site so Facebook can sell access to it. As it turns out, Facebook had actually given away the keys to the kingdom, but fortunately, nobody seems to have noticed.

Congress says, "protect customers", Justice Department says "spy on them."

Originally posted 05/11/2011 on lubbockonline.com

Today Apple and Google execs appeared before congress to answer questions about the way their operating systems gather user data. Darrell Etherington of the Gigaom column at Businessweek reports that Senator Al Franken assured everyone that the purpose of the hearing was not to bring an end to location services, but to move forward while protecting customers.

While Senator Franken was working to protect consumers from overreaching data collection by cell phone makers, the Justice Department was arguing for laws requiring cell phone providers to collect more data on their customers. Declan Mcullagh reported in his Privacy Inc. blog that Jason Weinstein, the deputy assistant attorney general for the criminal division testified on the need for cell phones to collect and retain data to make it easier for law enforcement to gather evidence:

"Many wireless providers do not retain records that would enable law enforcement to identify a suspect's smartphone based on the IP addresses collected by Web sites that the suspect visited," he added.

Really? They won't be able to identify a persons smart phone if they can't use the IP address assigned to it? I know some criminals will avoid putting any identifying information on the phone if they can, but really. The only way to identify a smart phone belongs to someone is by knowing it's IP and the web sites it visited. It makes you wonder how they were ever abe to solve crimes back in the dark ages when there were no smart phones with IP addresses and web sites to record them.

This is a typical overreach. The idea that government can require gathering data on everyone because there are a few instances the data may help in a criminal case goes against the spirit of the 4th Amendment and the idea of innocent until proven guilty. Why is a cell phone any different than the information in my home? They can't go into everyone's home and gather data to make it easier to solve criminal cases. Why should they be allowed to go into my phone? And why should they be able to gather data, or have someone else gather data from my phone without any evidence I've committed a crime? They shouldn't. That's what the Bill of Rights was written to protect us from.

Should a judge allow 23,000 "John Doe" subpeona's?

Originally published 05/10/2011 on lubbockonline.com

David Kravets of the Threat Level blog reports that a federal judge is allowing U.S. Copyright Group to file 23,000 "John Doe" subpeonas with ISP's around the country. The number is only likely to grow as they continue to have people go to torrent sites and monitor the IP addresses of people downloading "The Expendables."

It's wrong to steal movies, but the granting of these "John Doe" subpeonas is controversial. It shouldn't be, but it is. Granting the subpeonas ignores jurisdiction - it's very unlikely that most of the 'suspects' are in the area covered by the courts jurisdiction and it treats ignores the fact that they have very little relationship with each other. They are not part of an organized conspiracy to steal intellectual property.

U.S. Copyright Group and other IP enforcement mills, on the other hand, are in the business of finding ways to make the most money possible filing suits for copyright infringement. Getting all of the infringers under one judge means lots of profit. Having to file in the actual jurisdictions would decrease profit. Lawyers profit margins are not good reason to trample defendants rights.