Wednesday, October 11, 2006

The Ithaca Journal - Enhanced federal IDs could spark biometrics boom The technology has been the stuff of movies for years: A secret agent runs his fingertip and an encrypted ID card over a pair of sensors. There's a match, and the door swings open. In the coming months, a wave of government initiatives could start making such high-tech methods of identification commonplace -- beginning with the replacement this fall of federal employee IDs. Similar cards are planned for transportation workers, first responders and visitors to the United States.      Packed with biometric data such as fingerprints and containing a computer chip with room to expand the amount of information stored, the new IDs represent a potential boon to technology companies eyeing an estimated $8 billion in identity-related contracts. Firms such as BearingPoint Inc. and Lockheed Martin Corp. have set up showcase identity labs, pulling technology from different companies into turnkey operations. Hundreds of smaller companies, down to manufacturers of plastic cards, are vying for part of the market. The biggest business opportunity still looms: Driver's licenses, which are due for a retooling under new federal laws. 5:51:44 PM  PermaLink   / trackback []

E-Health Gaffe Exposes Hospital. E-Health Gaffe Exposes Hospital. An Indiana computer consultant finds a password hard-coded into a popular medical office application, and that leads to patient data from a hospital in Washington, D.C. By Kevin Poulsen. [Wired News: Security Blanket] 5:48:42 PM  PermaLink   / trackback []

Protect Yourself From Pretexting. Protect Yourself From Pretexting. Do you sit on the board of a Silicon Valley giant? Are you a journalist with high-placed sources to protect? Here's your survival guide for the dawning era of corporate plumbers and counter-journalism espionage. By Kim Zetter. [Wired News: Security Blanket] 5:47:22 PM  PermaLink   / trackback []

Belgian PM: Data Transfer Broke Rules The transfer of confidential banking records by a Belgium-based company to U.S. authorities for use in anti-terrorism investigations breached Belgian and likely European Union data privacy rules, top government officials said Thursday. The controversy surrounds a secret transfer deal between the U.S. treasury and the Belgium-based Society for Worldwide Interbank Financial Telecommunication, or SWIFT. The company routes about 11 million financial transactions daily between 7,800 banks and other financial institutions in 200 countries, recording customer names, account numbers and other identifying information. 'SWIFT finds itself in a conflicting position between American and European law,' Prime Minister Guy Verhofstadt said. 'When you look to every European legislation they ask more guarantees than those obtained by SWIFT.' He said Belgium would be pushing its EU partners to open talks on a new agreement to get more privacy guarantees from the U.S. side as part of a new deal on the transfer of financial records used in terror investigations. 5:45:17 PM  PermaLink   / trackback []

NSA Bill Performs a Patriot Act. NSA Bill Performs a Patriot Act. Under the guise of reining in the Bush administration's warrantless eavesdropping program, the Senate Judiciary Committee approves a bill that would dramatically expand the government's domestic surveillance capabilities, and usher in a new age of rampant monitoring. By Ryan Singel. [Wired News: Security Blanket] 5:43:12 PM  PermaLink   / trackback []

Pay By Touch puts its finger on ID verification system. Pay By Touch puts its finger on ID verification system. Pay By Touch, a credit card processing and in-store biometrics vendor, has launched an identity verification service that allows online shoppers to make purchases by using their fingerprint to verify their identity. [Computerworld Privacy News] 5:41:13 PM  PermaLink   / trackback []

Microsoft revokes MVP status of adware distributor. Microsoft revokes MVP status of adware distributor. Microsoft has revoked one of its Most Valued Professional awards after learning that the recipient distributes adware. [Computerworld Privacy News] 5:39:40 PM  PermaLink   / trackback []

FCW.com - IG: IRS not doing enough to safeguard taxpayers' privacy The Internal Revenue Service has not done enough to protect the privacy of more than 130 million taxpayers, according to a Treasury Department Inspector General's report released Oct. 3. The agency has conducted privacy impact assessments (PIAs) on less than half of its computer system and does not adequately monitor its own application of privacy laws, according to the report from the Treasury IG For Tax Administration. The E-Government Act of 2002 and IRS guidelines require every computer system or project that collects personal information to have a current PIA on file with the agency's privacy office. As of August 2005, the IG could not find PIAs for 130 of the 241 IRS computers systems that collect the sensitive information, according to the report. "We attribute the missing PIAs to the lack of emphasis on privacy issues, and the decision to not require that all systems be certified and accredited," the report states. Thus, taxpayers' identities are at a higher risk of being stolen and used unlawfully, the report found. The IG recommended that IRS officials build a searchable database of PIAs with quarterly verifications on their accuracy and reinforce the importance of PIA case documentation. The IG report recommended that officials review employee privacy training and assess whether IRS business units meet regulations. 5:37:22 PM  PermaLink   / trackback []

FCW.com - House passes data breach bill A bill that would require all federal agencies to strengthen their protection of sensitive information has passed the House and now moves on to the Senate. The language is part of a larger bill, the Veterans Identity and Credit Security Act of 2006. Rep. Tom Davis (R-Va.), who introduced the measure applying to all agencies, said he will try to move the language separately if the Senate does not act on the bill. Davis' legislation would amend the Federal Information Security Management Act, which Davis introduced and championed in 2002. The change directs the Office of Management and Budget to establish procedures for agencies to follow if personal information entrusted to an agency is lost or stolen. It also requires agencies to notify people whose personal information is jeopardized by a security breach and gives chief information officers the power to ensure that agency employees comply with information security laws. The bill comes after a series of revelations about lost, stolen or exposed data from several agencies. 5:34:53 PM  PermaLink   / trackback []

Beguiling but Beware: Ajax, VOIP. Beguiling but Beware: Ajax, VOIP. They are slick and gaining popularity, but voice over internet protocol and Ajax have some big security problems that will probably get worse before they get better. Quinn Norton reports from San Diego. [Wired News: Security Blanket] 5:32:32 PM  PermaLink   / trackback []

NSA Spy Program Gets Temporary OK. NSA Spy Program Gets Temporary OK. Hold the phone: Warrantless surveillance of international calls and e-mails into and out of the United States can go ahead while a judge's ruling, which called the intercepts unconstitutional, works its way through the appeals process. [Wired News: Security Blanket] 5:30:59 PM  PermaLink   / trackback []

Why Everyone Must Be Screened. Why Everyone Must Be Screened. Isn't it logical and more efficient to allow people carrying U.S. government security clearances to bypass airport screening? You might think so, but you'd be wrong. Commentary by Bruce Schneier. [Wired News: Security Blanket] 5:27:14 PM  PermaLink   / trackback []

Slashdot | New Copy Protection to Make Playing DVDs on a PC Difficult The Cowardly Pirate writes "ZDNet's Hardware 2.0 blog is reporting that new copy-protection software for DVD publishers from a company called ProtectDisc not only makes it difficult to rip movies that you've purchased but also prevents discs from playing in a Windows PC at all. From the article: 'Protect DVD-Video is the brainchild of a company called ProtectDisc. Part of the copy-protection mechanism is a non-standard UDF (Universal Disc Format) file system which results in the IFO file on the DVD (this is the file responsible for storing information on chapters, subtitles and audio tracks) appearing to the PC as being zero bytes long.'" 5:25:22 PM  PermaLink   / trackback []

Slashdot | Vista DRM Prevents Kernel Tampering mjdroner writes "A ZDNet blog reports on a new DRM feature for Vista that 'protects' the kernel from tampering. The blog quotes a Microsoft document: 'Code (CI) protects Windows Vista by verifying that system binaries haven't been tampered with by malicious code and by ensuring that there are no unsigned drivers running in kernel mode on the system.' The blog says that much of the DRM in Vista is simply a port from XP, but that this feature is new to the OS." 5:23:30 PM  PermaLink   / trackback []

Privacy Group Files Suit Against FBI A privacy-advocacy group is suing the U.S. government for records concerning electronic-surveillance tools such as one that appears to be a successor to the FBI's abandoned Carnivore program. The Electronic Frontier Foundation said it is suing the Department of Justice because the FBI failed to respond in time to its Freedom of Information Act request for records on the DCS-3000 and Red Hook programs. DCS-3000 is an interception system that the EFF said apparently evolved out of Carnivore, a system later renamed DCS-1000. The FBI developed Carnivore to read e-mails and other online communications among suspected criminals, terrorists and spies, but privacy groups and lawmakers complained it could collect much more than allowed by a warrant. A Justice Department Inspector General report in March said the FBI had spent about $10 million on DCS-3000 to intercept communications over emerging digital technologies used by wireless carriers before next year's federal deadline for them to deploy their own wiretap capabilities. The same report said the FBI spent more than $1.5 million to develop Red Hook, 'a system to collect voice and data calls and then process and display the intercepted information' before those wiretap capabilities are in place. 5:14:14 PM  PermaLink   / trackback []

BBC NEWS | Technology | Internet privacy 'sacrificed' by Icann Internet law professor Michael Geist argues that the internet oversight body has sacrificed the issue of privacy for a shot at independence. For the past five years, privacy has lingered as one of the Internet Corporation for Assigned Names and Numbers' (Icann) most contentious policy issues. Information on tens of millions of domain name registrants is contained in the "WHOIS database", which is readily available to anyone with internet access. Pre-dating Icann, the database identifies the name, address and other personal information of domain name registrants. Privacy groups, including European data protection commissioners, have expressed misgivings about the mandatory collection and disclosure of this personal information. 5:11:17 PM  PermaLink   / trackback []

Congress Wades Into HP Probe. Congress Wades Into HP Probe. A Congressional committee, federal prosecutors and the FBI all join California's Attorney General to investigate the legalities of Hewlett Packard's questionable information-gathering methods. [Wired News: Security Blanket] 5:07:21 PM  PermaLink   / trackback []

Private investigators plead not guilty in HP pretexting case. Private investigators plead not guilty in HP pretexting case. Arraignment dates have been set for the three investigators in HP's pretexting case. [Computerworld Privacy News] 5:03:25 PM  PermaLink   / trackback []

Survey: High-tech firms dissing online customers. Survey: High-tech firms dissing online customers. High-tech and computer companies aren't as good as retailers and telecoms when it comes to communicating with their online customers. But they're getting better at respecting private data, according to a new survey by The Customer Respect Group. [Computerworld Privacy News] 5:01:41 PM  PermaLink   / trackback []

ICANN: We can't shut down Spamhaus. ICANN: We can't shut down Spamhaus. ICANN said it does not have the authority to legally shut down Spamhaus, a U.K.-based antispam service, despite a court order calling for it to do so. [Computerworld Privacy News] 5:00:21 PM  PermaLink   / trackback []

FTC Report:"Let Localities Decide on Muniwireless". FTC Report:"Let Localities Decide on Muniwireless". Yesterday, the Federal Trade Commission released a report on municipal broadband. Specifically, the staff report tried to address the question, thoughtfully included in the title of the press release, [base "]Should Municipalities Provide Wireless Internet Service?[per thou] Jon Leibowitz, the one Democrat (the other non-Republican, Pamela Jones Harbor, is an independent), issued a concurring statement strongly supporting the right of localities to provide broadband services as a needed competitor and potential [base "]third pipe[per thou] into the home. For me, the important bottom line on the Report is that each locality needs to make its own decision on whether to provide internet service, and under what model. Accordingly, it is a phenomenally bad idea to pass laws that impose blanket bans (like Nebraska[base ']s), or which limit the flexibility of localities to act (like Pennsylvania[base ']s law, which gives private companies a right of first refusal before municipalities can build their own systems). read more [Public Knowledge - Policy Blog] 4:56:15 PM  PermaLink   / trackback []

Macrovision DRM Still Screws TiVo Users. Macrovision DRM Still Screws TiVo Users. Last year, TiVo users experienced glitches that auto-erased recorded content. The culprit was Macrovision DRM, and it's back and as bad as ever in TiVo Series 3 for HD. CNet documents brand new errors that prevented viewing and recording content. (Link via BoingBoing.) Unfortunately, glitches like this are only part of Series 3 users' worries. Hollywood and cable providers have forced TiVo to remove TiVoToGo and implement a host of DRM restrictions in this device. If a program is marked as "copy never" or "copy once," your TiVo must obey -- it doesn't matter whether the copy limit was put there on purpose by the cable provider or was a technical error, as in CNet's case. Learn more about these restrictions in our new white paper, "Who Killed TiVoToGo?" [EFF: Deep Links] 4:53:39 PM  PermaLink   / trackback []

US and EU stitch up airline passenger data deal. US and EU stitch up airline passenger data deal. And data protection law European data protection authorities are choking on their baguettes after seeing the detail of the data-sharing agreement the EU signed with the US on Friday. The passenger name record (PNR) agreement was presented as a formality that had been passed by the respective administrations without so much as a hiccup. But it's proving hard to swallow. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 4:51:16 PM  PermaLink   / trackback []

Privacy groups rap DHS plan to limit access to clearance information (10/10/06) Privacy advocates have voiced strong opposition to the Homeland Security Department's proposal to scale back the amount of information that security clearance applicants can access about government investigations of their background. "It needs to be thoroughly revised," Pam Dixon, executive director of the World Privacy Forum, said of DHS' proposed rule change. Members of the public have until Oct. 12 to submit comments on the draft regulation. DHS argued in its proposal that more information that comes up during background checks -- central to employment in many positions at the department -- must be kept secret to avoid compromising national security or revealing that an individual is being investigated. Dixon responded with a four-page letter, in which she argued that DHS' move to "commingle" systems of records that come up during investigations -- including those on terrorism-related inquiries and criminal investigations -- and then exempt them from the 1974 Privacy Act creates an overly broad category of documents that are unavailable to applicants. Provisions in the Privacy Act currently give applicants the right to view their materials. 4:47:19 PM  PermaLink   / trackback []

Californians Lose Out on New RFID Safeguards. Californians Lose Out on New RFID Safeguards. Last month, California's state legislature passed a bipartisan, groundbreaking new law that would institute tough privacy safeguards for Radio Frequency Identification RFID chips embedded in state identification cards. Unfortunately, over the weekend Governor Arnold Schwarzenegger vetoed the Identity Information Protection Act and prevented Californians from gaining control over the personal information that will be broadcast by RFID-equipped drivers' licenses, library cards, and other important ID cards. In his veto statement, Schwarzenegger claimed that the bill was premature, as the federal government has not released new technology standards for state drivers' licenses and other ID cards as part of the REAL ID Act. But this is precisely why California and other states should act now. The REAL ID Act mandates that drivers' licenses have "common machine-readable technology" on every ID. If the Department of Homeland Security decides that this "machine-readable technology" will be RFID, then citizens deserve a thoughtful and rational law to protect them from identity theft, covert tracking, and stalking. While obviously disappointing, the fight's not over yet -- EFF and our partners will work hard to get this bill reintroduced and passed next year. The bill is sponsored by EFF, the ACLU, and the Privacy Rights Clearinghouse, and support came from groups ranging from the AARP to the California Alliance Against Domestic Violence to the Gun Owners of California. [EFF: Deep Links] 2:10:10 AM  PermaLink   / trackback []

BAY AREA / 3 of region's brightest win 'genius' fellowships / $500,000 each in grants from the MacArthur Foundation "Techies love technology and solving problems, and social problems are often the coolest ones,'' he said. "They just don't make you any money.'' Fruchterman calls the work "social entrepreneurship" and created a new nonprofit, the Benetech Initiative, to carry out the vision. His first project: a secure computer database to allow social activists to document human rights abuses. Called Martus (Greek for witness), it has been used in Guatemala to sift through 80 million documents detailing homicides and disappearances during the country's 36-year civil war. "The whole idea is to capture the raw material of human rights -- the stories, the testimony, the eye-witness statements,'' he said. "This is data gathered at great expense, and sometimes at great human cost.'' 2:08:46 AM  PermaLink   / trackback []

EFF - miniLinks for 2006-10-03. miniLinks for 2006-10-03. US Cripples Online Poker and Gaming Industry Ordinary Americans lose access to a favorite hobby as companies' stocks tumble. AOL Sued for Search Data Debacle Class action alleges violation of privacy laws. YouTube Strikes Deal With Warner Music Deal will allow music videos to be distributed on site. News Aggregation and Copyright Google continues fighting with Belgian court... Robots.txt, We Hardly Knew You ...as publishers try to make their sites harder to aggregate. Macarthur Grant for Social Entrepreneur and Human Rights Cyberactivist Benetech Initiative provides computer security for activists. Lime Wire Strikes Back at RIAA P2P company counters copyright claims with accusations of innovation-stifling antitrust violations. United States Snooping Tramples European Privacy Belgium says data protection laws were violated. First E-Passport Readers Installed Brace for identity theft. [EFF: Deep Links] 2:03:51 AM  PermaLink   / trackback []

EFF - Another Court Says "National Security" Isn't Blank Check for Illegal Spying. Another Court Says "National Security" Isn't Blank Check for Illegal Spying. Today, a federal court shot down yet another attempt by the government to use "national security" as a blank check for illegal surveillance. Refusing a claim that the government could not even confirm or deny whether it had listened in on calls between attorneys at the Center for Constitutional Rights and their clients, the court ordered the government to provide that information to the court in secret first, then set up a process to possibly provide that information to the attorneys involved. The court confirmed: "It is a cardinal rule of litigation that one side may not eavesdrop on the other's privileged attorney-client communications." That should have been obvious to the government from the beginning. But the fact that the government refused to confirm that it wasn't violating this "cardinal rule" protecting attorney-client communications should raise concerns for all of us. Kudos to yet another court for holding the government to the basic rule of law. The New York Law Journal has more details. The government's overreaching attempts to prevent courts from considering cases where it asserts "national security" are now starting to fail, including, of course, in EFF's case against AT&T for helping the government's massive and illegal NSA spying program. Learn more here. [EFF: Deep Links] 2:00:48 AM  PermaLink   / trackback []

Best Privacy Policy Ever? Best Privacy Policy Ever? Cory over at Boing Boing blogged last week about an online service that helps you manage bills and informal cash flows with your roommates and friends. The service, called BillMonk, is interesting, but what's even more interesting is BillMonk's privacy policy, which is the shortest, clearest, and most substantively protective policy we've read in a long while. [EFF: Deep Links] 1:59:17 AM  PermaLink   / trackback []

Sixth Circuit Halts Injunction Against Warrantless Surveillance Pending Appeal. Sixth Circuit Halts Injunction Against Warrantless Surveillance Pending Appeal. Today the U.S. Court of Appeals for the Sixth Circuit issued a stay to halt the enforcement of a federal court order stopping the government's warrantless surveillance program, pending the outcome of the government's appeal of the decision declaring the program illegal and unconstitutional. The short opinion, which offered little legal analysis, is disappointing, but it's not the last word on the government's illegal spying -- this case will still be heard on appeal by the Sixth Circuit. After defeating the government's and AT&T's motions to dismiss in the district, our lawsuit against AT&T for its collaboration with the spying program is moving forward in the federal court in San Francisco, while the government has petitioned for permission to appeal to the 9th Circuit. [EFF: Deep Links] 1:57:35 AM  PermaLink   / trackback []

Unblinking: New Perspectives on Visual Privacy in the 21st Century. (symposium) Unblinking Symposium. I just came across an amazing-looking multi-disciplinary symposium on privacy and surveillance at Berekely: Unblinking: New Perspectives on Visual Privacy in the 21st Century. The program is quite impressive, including Ian Kerr (who gave the keynote last week at our IINW symposium), Julie Cohen, and Helen Nissenbaum (my dissertation advisor). I[base ']d love to attend, but it is the same weekend as the annual meeting of the Society for Social Studies of Science in Vancouver, where I will be presenting the paper on the [base "]alues and pragmatic action: The challenges of engagement with technical design communities[base ']Äù that Noemi and I have been working on. [michaelzimmer.org] 1:54:14 AM  PermaLink   / trackback []

US, EU Agree To Share Air Passenger Data. US, EU Agree To Share Air Passenger Data. Negotiators have reached an agreement on how to transfer information about passengers flying to the U.S. from Europe. [PC World: Latest Technology News] 1:49:15 AM  PermaLink   / trackback []

Application Error Handling: How to Avoid Death by a Thousand Cuts. Application Error Handling: How to Avoid Death by a Thousand Cuts. Bryan Sullivan from SpiDynamics presents this brief paper on AJAX security. By Bryan Sullivan. [Infosec Writers Latest Security Papers] 1:45:59 AM  PermaLink   / trackback []

Creating Business Through Virtual Trust. Creating Business Through Virtual Trust. In this paper, Kenneth Belva and Sam DeKay examine how information security can be actively involved in the creation of business and that the skills required to create commercial activity must be added to the information security professional's intellectual tool set. They also present evidence to demonstrate that the capability of security to create business, which they designate by the term "virtual trust", may become a dominant paradigm for how to think about information security. By Kenneth F. Belva. [Infosec Writers Latest Security Papers] 1:44:18 AM  PermaLink   / trackback []

Penetration Test Framework UPDATE. Penetration Test Framework UPDATE. Lee Lawson submits this update on an excellent Penetration Test Framework. This is a must for anyone performing penetration testing!!! By Toggmeister. [Infosec Writers Latest Security Papers] 1:41:55 AM  PermaLink   / trackback []

UK and US plan realtime police database links. UK and US plan realtime police database links. Dry run on immigration databases UK and US immigration databases have been linked in an intelligence sharing experiment that could lead to permanent trans-Atlantic data stores of wanted and suspected people. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:39:04 AM  PermaLink   / trackback []

Indian data theft 'exposed'. Indian data theft 'exposed'. Britain gripped by fear of keyboard-wielding foreigners A man in India offered to sell the front man of a Channel 4 sting operation the credit card details of 200,000 people, the programme Dispatches will reveal tonight. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:36:28 AM  PermaLink   / trackback []

Arnie terminates RFID bill. Arnie terminates RFID bill. It'll be back, vows sponsor Legislative proposals to regulate government use of RFID technology in California have been vetoed by state governor Arnold Schwarzenegger. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:34:31 AM  PermaLink   / trackback []

US judges rule on warrantless surveillance. US judges rule on warrantless surveillance. Spy on the wire A US appeals court has allowed the government to continue its controversial warrantless surveillance program pending a full review of a ruling by a lower court that the practice is unconstitutional. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:31:28 AM  PermaLink   / trackback []

Bugging offices is not a crime (in UK). Bugging offices is not a crime (in UK). Pretexting is for kids Bugging offices in the UK is not a criminal offence, according to surveillance and legal experts speaking to OUT-LAW radio. While recording a phone conversation is a criminal offence, someone could place a recording device in an office legally, they said. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:28:35 AM  PermaLink   / trackback []

Micro pretexter makes micro payment to FTC Micro pretexter makes micro payment to FTC. One down, four to go A tiny business that sold consumers phone records and records of credit card accounts over the Internet is very sorry and promises not to do it again. And no more pretexting, either. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:26:53 AM  PermaLink   / trackback []

Parents prepare to sue fingerprint grabbers. Parents prepare to sue fingerprint grabbers. Schools to be challenged over biometrics Parents are preparing a legal challenge to schools that have fingerprinted their children without their consent. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:25:21 AM  PermaLink   / trackback []

ID Cards to cost £5.4bn. ID Cards to cost £5.4bn. Home Office guesstimate The Home Office has announced how much it thinks ID cards are going to cost us - a mere £5.4bn. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:12:48 AM  PermaLink   / trackback []

Slashdot | Swiss to Use Spyware to Listen to VoIP An anonymous reader writes "Heise Security is reporting that the Swiss Department of the Environment, Transport, Energy and Communications is entertaining the idea of utilizing the 'Superintendant Trojan', a spyware program designed to allow eavesdropping on VoIP conversations. According to ERA IT Solutions, the creator of the software, it will only be distributed to investigation agencies in the hopes of keeping it out of the hands of malicious hackers since firewalls apparently 'do not present a problem' for the software." 12:26:07 AM  PermaLink   / trackback []