Tuesday, September 26, 2006

News Item 7335 Data Theft Notifications - How Soon is Too Soon?

Data Theft Notifications - How Soon is Too Soon? bsdbigot asks: "I started getting a bunch of stock-tout spam in the last month or so. The other day, I happened to look and see it was coming in to an email address I had dedicated to my online trading account account. I've spoken to the online trading company, and I've given them the info on these spams. It turns out there is an 'ongoing investigation,' which includes 'outside agencies,' but they stop short of saying that there is any theft or breach. How soon should such a company let its customers know that their data has been compromised? Should they wait until they have all the details and have plugged the breach, or should they let customers know that there is a possible problem as soon as they recognize it?"  [Slashdot: Your Rights Online]
8:43:47 AM  PermaLink   / trackback []  

News Item 7334 The Culture of Evasion.

The Culture of Evasion.   theodp writes  "In the wake of Patricia Dunn's resignation, Wired's Fred Vogelstein walked away less than impressed with HP CEO's Mark Hurd's spying mea culpa. He says it smacked more of standard corporate ass covering than leadership, especially coming 3 weeks after the scandal broke. His sentiments are echoed in Computerworld's Culture of Evasion, which was written before Hurd mounted an I-knew-nothing-defense. Hurd claims that he bailed out on a meeting that approved the spying, neglected to read the spying report directed to him, and was clueless about the tracer technology employed in the reporter-baiting false e-mail he personally gave thumbs-up to." [Slashdot: Your Rights Online]
8:38:32 AM  PermaLink   / trackback []  

News Item 7333 RIAA Wants to Include Song Files it Can't Produce.

RIAA Wants to Include Song Files it Can't ProduceNewYorkCountryLawyer writes  "In UMG v. Lindor the RIAA is trying to include song files it doesn't have copies of as part of its 'distribution' argument. The defendant Marie Lindor is asking the Court to preclude them from doing that. She points to the RIAA's own interrogatory response in which the record companies swore that their case was based upon their investigator seeing a screenshot and then downloading 'perfect digital copies'. They produced eleven (11) copies of song files, but want to be able to prove twenty seven (27) other songs for which they can't produce the files." [Slashdot: Your Rights Online]
8:34:13 AM  PermaLink   / trackback []  

News Item 7332 komo news | AOL Subscribers Sue Over Release Of Search Data

Three AOL subscribers who suddenly found records of their Internet searches widely distributed online are suing the company under privacy laws and are seeking an end to its retention of search-related data.

The lawsuit is believed to be the first in the wake of AOL's intentional release of some 19 million search requests made over a three-month period by more than 650,000 subscribers, including the three plaintiffs - two unnamed Californians and Kasadore Ramkissoon of Richmond County, N.Y.

Filed Friday in U.S. District Court in Oakland, Calif., the lawsuit seeks class-action status. It does not specify the amount of damages being sought.
8:29:08 AM  PermaLink   / trackback []  

News Item 7331 AOL Subscribers Sue Over Release Of Search Data.

AOL Subscribers Sue Over Release Of Search Data. An anonymous reader points out an AP story indicating that AOL hasn't seen the end of its own public embarrassment after airing some dirty laundry on behalf of its customers. ---  Excerpted from the story:  "Three AOL subscribers who suddenly found records of their Internet searches widely distributed online are suing the company under privacy laws and are seeking an end to its retention of search-related data ... The lawsuit is believed to be the first in the wake of AOL's intentional release of some 19 million search requests made over a three-month period by more than 650,000 subscribers. ... Filed Friday in U.S. District Court in Oakland, Calif., the lawsuit seeks class-action status. It does not specify the amount of damages being sought." [Slashdot: Your Rights Online]
8:26:32 AM  PermaLink   / trackback []  

News Item 7330 Some Sobering Security Stats.

Some Sobering Security Stats.

Symantec today released its latest report on Internet security, cataloging 2,249 software vulnerabilities discovered or reported from January through June 2006 -- the most the company has ever recorded in a six-month period.

Nearly 80 percent of the vulnerabilities were considered easily exploitable and involved applications like Web browsers or software such as blogging and shopping cart programs.

Hackers often use Web application flaws to deface Internet sites -- thousands of sites are defaced each day thanks to this class of vulnerabilities. Annoying as they are, however, defacements aren't the real problem. Criminals can exploit the same Web application flaws to gain access to sensitive databases, access that can drive credit card and identity theft. Online criminals also can use Web app flaws to hijack legitimate sites and redirect visitors to sites that try to install spyware and other malicious programs.

Web application flaws can even cause a Web site to become a drone in a massive army of computers that organized criminals use to launch crippling and extortionist attacks against other Web sites. According to Symantec's stats, the first six months of 2006 brought an average of 6,110 distributed denial-of-service attacks (DDoS) each day.

That figure is a low-ball number, as Symantec only measured DDoS attacks in cases where the perpetrators faked the Internet addresses of the compromised computers doing the attacking. With millions of compromised machines on the 'Net these days available for use in DDoS attacks, spoofing the source Internet address of drone computers is really not necessary, and the practice is now a lot less common than it used to be.

Other stats of interest in the report: Microsoft's Internet Explorer was the most frequently targeted Web browser, with 47 percent of all attacks. Mozilla's Firefox and other browsers had the most number of flaws -- 47 -- (IE had 38), but IE continued to have the largest window of exposure to known security flaws.

A PDF copy of the Symantec report can be downloaded here.

[Security Fix]
8:19:24 AM  PermaLink   / trackback []  

News Item 7329 Calling Sony BMG's Bluff; Canadian Rootkit Settlement Improved.

Calling Sony BMG's Bluff; Canadian Rootkit Settlement Improved.

Thanks to the quick action of the Canadian Internet Policy and Public Interest Clinic, Canadian consumers are getting a better deal from Sony BMG.

As EFF and others reported, the proposed Canadian Sony BMG rootkit settlement lacks several important consumer protection provisions (e.g. disclosure and testing requirements) that were included in the U.S. settlement. On Monday, CIPPIC filed an objection to the proposed settlement, challenging this glaring omission and the woefully inadequate and misleading "explanation" that Sony BMG offered for it. EFF submitted an affidavit in support of the objection, setting the record straight on the context and details of the U.S. settlement.

Taking note of the objection at a hearing on the settlement last week, the Canadian court required Sony BMG to give effective prior notice to Class Counsel and CIPPIC if it decides to use any DRM in Canada that has not already been independently vetted for security problems, as required by the U.S. Settlement. Thus, CIPPIC will be able to intervene to protect Canadians from becoming guinea pigs for DRM.

What's more, the settlement is not the end of Sony BMG's legal woes in Canada: it may now face investigations from Canadian regulators as well.

One of Sony BMG's lame excuses for the absence of stronger consumer protections in the Canadian settlement was that it only agreed to those provisions in the U.S. in response to pressure from U.S. government entities. Since the Canadian government wasn't leaning on Sony BMG as well, the label figured it didn't have to do the right thing.

Sony BMG's effort to rewrite history backfired. Taking up Sony BMG's implicit dare, CIPPIC filed complaints with five government agencies, calling for investigations into Sony BMG's conduct.

Now it's time for Canadian regulators to pick up where the civil litigators left off, and make sure Canadian customers--and their computers--get the protection they deserve.

[EFF: Deep Links]
8:15:31 AM  PermaLink   / trackback []  

News Item 7328 EFF - Three Senators Cave On Surveillance Bill; Tell Your Senators to Hold the Line NOW.

Three Senators Cave On Surveillance Bill; Tell Your Senators to Hold the Line NOW.

Today, three key Senators who had previously stood against Senator Specter's surveillance bill and caved to the White House's wishes regarding NSA spying legislation. Like Specter himself, these representatives agreed to a sham "compromise." The amendments do not change the simple fact that this bill remains just as dangerous as ever and in many respects is even worse.

Now more than ever, we need your help to stop the illegal spying -- take action NOW and tell your Senators to use all possible means to block this bill. The Senate recesses in six short days, and the November election is right around the corner, giving voters a chance to rebuke those who have supported the massive and illegal NSA spying program. But if you don't take action now, the election may come too late.

[EFF: Deep Links]
8:11:05 AM  PermaLink   / trackback []  

News Item 7327 Lawsuit AIMS at AOL.

Lawsuit AIMS at AOL.
A San Francisco-based law firm has filed a long-anticipated class action lawsuit against AOL for releasing nearly 20 million search engine queries from more than 650,000 AOL subscribers in July.

The lawsuit alleges that AOL violated both the Electronic Communications Privacy Act and California's fraudulent and unfair business statutes and that the company is liable for publishing private, embarrassing facts about individuals that have no news value. ECPA includes mandatory damages of at least $1,000 per individual.

The suit (.pdf) is filed on behalf of three plaintiffs, two of whom are anonymous California residents and one named New York resident.

The suit also demands that AOL stop logging any search data at all and pay money for unfairlyg to be a safe, privacy-friendly company.

One plaintiff lawyer familiar with internet privacy law who I talked with on background said that the reason suits were not filed sooner was that ECPA -- a law that clearly prohibits companies from sharing your emails -- is a legal gray area when it comes to search queries.

Add to this that the large majority of AOL subscribers that were affected could not be identified, the breach did not help AOL financially, that the FTC might already be working on an investigation, and that that company apologized, fired an executive, and said it was working on internal changes to its data-retention policy.

All in all, its far from a slam-dunk suit.

Perhaps the most interesting charge in the lawsuit is that AOL released this data for non-commercial research purposes, but that the company has not tried to shut down sites that let people search through the data and run ads.

  [27B Stroke 6]
8:08:41 AM  PermaLink   / trackback []  


© Copyright 1997- 2006 Paul Hardwick, with Web Hosting provided by MacRonin.com .
Last update: 10/1/06; 12:26:20 AM .

Click here to visit the Radio UserLand website. Valid CSS! Subscribe to "Privacy Digest: Privacy News (Civil Rights, Encryption, Free Speech, Cryptography)" in Radio UserLand. Click to see the XML version of this web page. Click here to send an email to the editor of this weblog.