Wednesday, December 14, 2005

United Press International - NewsTrack - Coalition wants to delay Patriot Act vote WASHINGTON, Dec. 14 (UPI) -- An unusual bipartisan coalition wants to delay Friday's scheduled vote to reauthorize the Patriot Act until privacy protections are improved, a report said. The coalition of lawmakers and activists urging the delay is the strongest to lobby Congress on any issue. Up to 41 senators are willing to block reauthorization of the bill that the Bush administration has said is vital to its war on terror, the Christian Science Monitor reported. Many lawmakers were stunned by reports the FBI has issued up to 30,000 "national security letters" under the Patriot Act. The letters order public and private entities to turn over people's personal data and remain silent about it, which would be subject to judicial review under the revised bill that would extend 14 of the original 16 provisions. 2:25:19 PM  PermaLink   / trackback []

Is the Pentagon spying on Americans? - Lisa Myers & the NBC Investigative Unit - MSNBC.com Secret database obtained by NBC News tracks 'suspicious' domestic groups. WASHINGTON - A year ago, at a Quaker Meeting House in Lake Worth, Fla., a small group of activists met to plan a protest of military recruiting at local high schools. What they didn't know was that their meeting had come to the attention of the U.S. military. A secret 400-page Defense Department document obtained by NBC News lists the Lake Worth meeting as a "threat" and one of more than 1,500 "suspicious incidents" across the country over a recent 10-month period. "This peaceful, educationally oriented group being a threat is incredible," says Evy Grachow, a member of the Florida group called The Truth Project. 2:17:52 PM  PermaLink   / trackback []

Update: Security breach at Sam's Club exposes credit card data. Update: Security breach at Sam's Club exposes credit card data. Officials at Sam's Club are investigating a security breach that has exposed credit card data belonging to an unspecified number of customers. [Computerworld Privacy News] 2:11:52 PM  PermaLink   / trackback []

A constant state of insecurity | InfoWorld | Column | 2005-11-04 | By Roger A. Grimes For the past few months an acquaintance of mine has been sniffing various public wireless and wired networks around the world, looking to see what plain text passwords are visible. It was an eye-opening experiment. She used a bunch of different tools, but mostly Cain. At the moment, it collects 18 different passwords or password representations, including plain text passwords sent over HTTP, FTP, ICQ, and SIP protocols, and will automatically collect the user's log-in name, password (or password representation), and access location. Other than a few simple validity reviews and summary counts, my friend doesn't look at the log-in names or passwords, and she deletes any collected information after obtaining the counts. She hasn't used ARP (Address Resolution Protocol) poisoning or done anything other than to count plain text passwords passing by her traveling laptop's NIC when she's in a hotel, airport, or other public network. Although some -- including me -- might question her ethics, the information she shared is useful in understanding our true state of insecurity. She said about half the hotels use shared network media (i.e., a hub versus an Ethernet switch), so any plain text password you transmit is sniffable by any like-minded person in the hotel. Most wireless access points are shared media as well; even networks requiring a WEP key often allow the common users to sniff each other's passwords. She said the average number of passwords collected in an overnight hotel stay was 118, if you throw out the 50 percent of connections that used an Ethernet switch and did not broadcast passwords. The vast majority, 41 percent, were HTTP-based passwords, followed by e-mail (SMTP, POP2, IMAP) at 40 percent. The last 19 percent were composed of FTP, ICQ, SNMP, SIP, Telnet, and a few other types. 2:05:52 PM  PermaLink   / trackback []

Audio Available of John Gilmore vs Gonzales Arguments on December 8, 2005. Audio Available of John Gilmore vs Gonzales Arguments on December 8, 2005. On July 4, 2002, John Gilmore went to Oakland International Airport in California and attempted to take a domestic flight. He produced his ticket and was told he also had to show his ID. He asked to see the law requiring him to show ID before he could travel. Mr. Gilmore was informed that the law was secret and that he could not see it. He missed his flight. Then he sued the government. Oral agruments were heard before the 9th Circuit Court of Appeals on December 8, 2005. The court has posted audio files of the arguments here (requires Windows Media Player or compatible software). The arguments raise some interesting legal issues that will have a long-term impact on ID requirements and US citizens' right to travel. [PrivacySpot.com - Privacy Law and Data Protection - nothing but privacy] 1:59:51 PM  PermaLink   / trackback []

Marion County, Fla., Runs Identity Theft Protection Project. Marion County, Fla., Runs Identity Theft Protection Project. Redacting of private information becomes public responsibility as of Jan. 1 [GT: Privacy] 1:57:37 PM  PermaLink   / trackback []

The Statesman - Betrayed by email E-mail seems so personal and private. After all there is nothing between you and the laptop screen; and when you press the key SEND, you have the illusion that nothing could be more confidential than the digital stream that you have let loose. But nothing is beyond the reach of corporate lawyers and law enforcement authorities in this age of total awareness. Desperate housewives seeking fortunes in divorce have e-mail as their best bet after their husbands have begun to rejuvenate their libidos somewhere else. In early March, The Boeing Company fired its 68-year-old CEO, Harry Stonecipher, for having an extramarital sexual affair with a company employee. He had the brazen foolishness to be expressive about his carnal desires in sexually explicit manner in e-mail exchanges with the woman. None should have read the top dog's e-mail but someone did. Stonecipjer, ironically, was plucked from his retirement to rebuild the image of Boeing after the company had suffered a scandalous period under its previous CEO. Enron, the defunct energy conglomerate that put up a power plant in Dhabol, Maharshtra, was undone by its e-mail, which in hindsight you might say was good for the stakeholders and public at large. The company did not comprehend the liability issues in dealing with email, which makes me believe that every business should have its annual e-mail audit. Employees should be given workplace and documentation training. Since most American office workers use the Internet and communicate via e-mail, bosses are watching closely how their employees use the company's electronic resources. Several court decisions regarding workplace privacy indicate that in the United States employees have few privacy rights over their e-mail, if it is stored in the company's system. 1:53:37 PM  PermaLink   / trackback []

Gartner sees RFID as $3 billion business by 2010 | CNET News.com RFID technology is on the upswing as businesses start to see ways it can augment bar coding, according to a new report. Worldwide spending on the emerging wireless tracking technology is set to reach $504 million this year, up more than one-third from 2004, market researcher Gartner said Tuesday. Adoption will accelerate by 2007, with spending pegged to hit $3 billion by the end of the decade. 1:49:51 PM  PermaLink   / trackback []

INSIDE JoongAng Daily - The dark side of IT: privacy erosion Shin Ae-ja used to spend the afternoon picking up her two daughters from school after work. But that was before Big Brother intruded into her life. These days the kids' grandmother gets them from school while Ms. Shin joins "comrades" for sit-in protests in front of the National Assembly building in Yeouido. Ms. Shin is one of 13 female factory workers from Hitec RCD Korea, a manufacturer of model airplanes. Taking turns on a nearly 200-day protest, the women want the government to punish their employer, whom they accuse of secretly watching them through closed-circuit television cameras at the factory, and compensate them for medical expenses incurred while treating their psychological suffering. "We are victims of an illegal surveillance system," read posters hanging around their protest tent. "We are hurt and suffering from mental trauma." Of the 13 women, five have been fired by the company for causing labor disputes. But their real crime, they say, was complaining about the company's surveillance system which appeared to target women who joined the labor union. 1:46:36 PM  PermaLink   / trackback []

Security chiefs share pain of being stuck in the middle. Security chiefs share pain of being stuck in the middle. Corporate security experts face a crisis as they are caught between regulators demanding better accountability for data security and the need to keep businesses up and running with the help of many business partners, an American Express security executive said. [Computerworld Privacy News] 12:26:12 PM  PermaLink   / trackback []

DirecTV to pay $5.3 million in 'Do Not Call' settlement - Dec. 13, 2005  Officials announced a $5.34 million settlement Tuesday with satellite TV provider DirecTV over alleged violations of the Do Not Call rule, the largest civil penalty ever obtained by the Federal Trade Commission in a consumer protection enforcement case.  The FTC's action "demonstrates that the registry is a program consumers can continue to believe in," said FTC Chairwoman Deborah Platt Majoras at a press conference held Tuesday morning. "Sellers are on the hook for calls placed on their behalf and for their benefit," she added. "It is not named the Do Not Call Registry for nothing."  DirecTV (down $0.05 to $13.72, Research), five firms telemarketing on the company's behalf, as well as six principals of the telemarketing firms were involved in the case, which Majoras said accounted for the single biggest category of do-not-call violations the commission has ever received.  In response, DirecTV issued a statement that said, "DIRECTV wholly supports the national Do-Not-Call Registry and our agreement with the FTC reflects our commitment to prevent unwanted and unlawful telemarketing calls to existing and potential DIRECTV customers."   "The majority of the complaints the FTC received related to telemarketing calls placed by a small number of former independent retailers, who ignored DIRECTV policies prohibiting unauthorized telemarketing," the statement added.  But Majoras was quick to emphasize that the most important part of the settlement is that it sends a warning to companies that they cannot hire telemarketers and then turn their backs on whether or not the rules are followed. 12:23:27 PM  PermaLink   / trackback []

DirectTV to Pay $5.4M in Privacy Fines. DirectTV to Pay $5.4M in Privacy Fines.   abscissa writes  "Remember the do-not-call registry? DirecTV is in big trouble for violating the list, and faces the largest civil assessment ever obtained of $5.4M for harassing people over the phone at home and ignoring the registry. Although it looks like DirecTV was outsourcing all their telemarketing (obviously), the FTC recieved 1.4 million complaints, the biggest category of do-not-call violations ever recieved." ---  From the article:  "Majoras was quick to emphasize that the most important part of the settlement is that it sends a warning to companies that they cannot hire telemarketers and then turn their backs on whether or not the rules are followed." [Slashdot: Your Rights Online] 12:17:50 PM  PermaLink   / trackback []

Diebold CEO Resigns Under Cloud. Diebold CEO Resigns Under Cloud. Philip K Dickhead writes  "After numerous ethical lapses and much controversy, Diebold CEO, Wally O'Dell resigned to the applause of the markets. Diebold's price improved more than 5% today, as the story broke. Business Week is reporting that O'Dell is leaving for "personal reasons", although the news blog Raw Story cites board action on imminent securities fraud litigation, and legal challenges by states claiming fraudulent certification of Diebold voting machines. Latest vulnerability tests show an impossibly negligent attention to vote security and privacy." ---  Not overly surprising, considering their recent childish antics in NC [Slashdot: Your Rights Online] 12:15:11 PM  PermaLink   / trackback []

BBC NEWS | Europe | EU approves data retention rules The European Parliament has approved rules forcing telephone companies to retain call and internet records for use in anti-terror investigations. Records will be kept for up to two years under the new measures. Police will have access to information about calls, text messages and internet data, but not exact call content. The UK, which pressed European member states to back the rules, said that data was the "golden thread" in terrorist investigations. The parliament voted by 378 to 197 to approve the bill, which had already been agreed by the assembly's two largest groups, the European People's Party and the Socialists. 12:12:26 PM  PermaLink   / trackback []

EU Approves Data Retention. EU Approves Data Retention. submanifold writes  "The EU have ratified rules that will force ISP's and other telecommunication companies to retain data for two years. This data includes the time, date and locations of both mobile and landline calls (as well as whether or not they were answered) along with logs of internet activity and email. Apparently the content itself would not be accessible, merely the data concerning it. However, despite being touted as an anti-terrorist measure, the record industry has already admitted interest in aquiring such data."  [Slashdot: Your Rights Online] 12:10:14 PM  PermaLink   / trackback []

Infosecwriters.com - Low Cost Technique for Intrusion Detection I have attempted to uncover and explore a free and easy solution for the cost conscience small to medium size network to incorporate Intrusion Detection. The paper will focus on the aspects of free tools in relation to Intrusion Detection. I will define the tools I am using, where I will place the tools within the network, why I decided to place the tool in this particular location, and what defense mitigation the tool should assist. I have chosen three products to use in developing this particular solution for Intrusion Detection. Eagle X as the primary detection mechanism, Ethereal for capturing and reporting detail, and GFI Languard for system integrity or Host Based Intrusion Detection. I will also implement a relationship with two different reporting agencies to assist in the understanding and detection process. These reporting agencies, MyNetwatchman.com and Dshield.org, will provide another level or layer of detection as well as a reporting and escalation process. This document is in PDF format. To view it click here. 12:07:38 PM  PermaLink   / trackback []

What's happening in the European identity management world? What's happening in the European identity management world? Siemens of Germany has been involved in identity issues for longer than most current identity management companies have been in business. It goes back to the early days of x.500, yet I frequently forget to mention Siemens when talking about identity management issues for much the same reason I used to overlook RSA - I think of it in non-ID management terms. Siemens makes a full range of consumer products (phones, appliances, computers, hearing aids, televisions, radios and more) as well as power generators, measuring devices and even locomotive engines! [Identity mangement news] 12:03:24 PM  PermaLink   / trackback []

MEPs vote for mandatory data retention. MEPs vote for mandatory data retention. Costs, scope still unclear The European Parliament has approved proposals on data retention that would compel telecom firms to keep customer email logs, details of internet usage and phone call records for between six months to two years. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:01:21 PM  PermaLink   / trackback []