Two There Are Always (Plus a Freebie)

Gizmodo asks “Am I the only one extremely disappointed by the fact that these upcoming Lucas-approved USB keys don’t offer a Han model?” No, you’re not. I’d get me Han in Carbonite to protect my data any day. I bet Wil Shipley would to. Anyone who can explain why Anakin went to the dark side like he does in On Sith, Specifically Those Seeking Revenge… would understand the attraction of a wall decoration turned into a storage unit.

Neal Stephenson dissects the movies, in Turn On, Tune In, Veg Out, in the NY Times, forcing me to say, damn, I wish I could write like that.

Dear Gmail

gmail-disabled2.pngThank you so much for your recent letter, telling me that

We’ve noticed that you haven’t used your Gmail account,, for quite some time. In order to make Gmail better
for our users, we’ve added a lot of things in the last few months and we hope
you’ll want to start using your account again. Here are just some of the latest

We’re still working hard every day to build you the best email service around.
But to keep Gmail great for our users, we may have to close inactive accounts
after 9 months. So, we hope you’ll give us another chance. To log in to your
Gmail account, just visit:

The Gmail Team

We sent you this message because we wanted to warn you of your account’s
inactivity and remind you of our dormant account policies…

Ummm, yeah. I know. Do you have to go rubbing it in?

Identity Thieves Drain Unemployment

But the most underpublicized identity theft crime is one in which thieves defraud state governments of payroll taxes by filing fraudulent unemployment claims.

It can be a fairly lucrative scheme, too. File a false unemployment claim and you can receive $400 per week for 26 weeks. Do it for 100 Social Security numbers and you’ve made a quick $1.04 million. It’s tough to make crime pay much better than that.

So writes Michael Alter of SurePayroll in “States fiddle while defrauders steal.” But he offers precious little evidence of how much this is happening. (Via Slashdot.)

[Update: Scott Blake seems to have game, set and match in a comment on how hard this would really be. (Very hard work indeed.)]

Suntrust, 75? SSNs, Employee Jonathan Bryan Adair

This post updated to replace the Suntrust logo with “You can’t shut me up by Jennifer Moo, after a bunch of bozos called “Internet Identity” sent vaguely scary letters that chilled my web hosting company.


The Atlanta Journal Constitution reports that “Ex-SunTrust employee charged in check scam.” (Use Bugmenot for a login.):

The U.S. attorney’s office and the FBI said Jonathan Bryan Adair, 23, of Atlanta, is accused of giving information about customers with more than $5,000 in their accounts to Ayyub Abdul Khaliq Cornelius, 32, of Atlanta. Both men are named in an indictment charging conspiracy, bank fraud and identity theft.

Armed with the account information, the indictment charges, Cornelius used five other people to cash fraudulent checks totaling about $150,000.

The scheme was carried out from December 2004 to late May of this year, authorities said. It began with stolen checks, Social Security and driver’s license numbers, dates of birth, signature cards and balance amounts of SunTrust account holders.

Also, Cornelius is accused of “making” phony ID, but no word on if that’s forgery or issuance fraud.

Equifax Canada, 600 credit histories, hacker

CBC is reporting “Hacker accesses files at Equifax:”

A computer hacker has accessed the files of about 600 consumers at Equifax Canada, one of Canada’s major credit bureaus. Most of the files are for consumers from British Columbia.

Better Business Bureau spokesperson Sheila Chernesky said personal financial information is being gathered all the time, and there isn’t much consumers can do to protect themselves.

“The credit bureau, Equifax, and the other credit bureau, Canada TransUnion, they collect information on us and we are perhaps not even aware of it,” she said.

Good thing there’s a general privacy law in Canada.

(Also, I’m experimenting with more tags.)

Florida Hospitals, “40 pages” of medical histories, mis-dialed fax

ALTAMONTE SPRINGS, Fla. — The private medical information for hundreds of people ended up at a Seminole County airplane parts business. The information was about patients at Florida Hospital East and Florida Hospital Altamonte. It included hundreds of names, birth dates, social security numbers and medical diagnosis information.

The 40-page fax included appointment information for several hundred patients, and the records were not limited to the Altamonte facility. Some of the patients were scheduled at what appears to be Florida Hospital East Orlando.

Leser said, when he found the fax on his machine, he tried to call a HIPPA hotline to report medical privacy breaches.

“I called the hotline and they told me they were not interested,” Leser explained.

And, he said, Florida Hospital staffers said they’d pick up the paper, but they never came.

The documents said on the top to use discretion in disseminating this information. Florida Hospital said they’re investigating the information lapse, but don’t yet know where the fax originated.

(From “Private, Personal Medical Info Faxed To Wrong Location” at WFTV, Via R S Heuman in Risks-23.90.)

Ed Moyle on “MasterCard Lays Down the Law”

In a bold move, MasterCard lays down the law on CardSystems. And by “lay down the law”, I mean they upped the ante from recommending they comply with security procedures to “putting them on notice” to comply. Um…. Is it me, or does that sound like the same thing to you? If the only ramifications from MasterCard is in the vein of finger wagging, it shouldn’t be surprising that CardSystems would fail to take the regulations seriously. I’m concerned – this foolishness at CardSystems was the biggest loss of financial account data ever and MasterCard’s reaction was to “put them on notice”? What do you have to do before they take any stronger action?

“Stop! Or I’ll say stop again!”

Read “MasterCard Lays Down the Law” at the comment-free, trackback-free, spam-free SecurityCurve. (I’ve asked a very similar question in “What Do You Need To Do To Get Fined?“)

Stupid Privacy Invasion Fatigue

This morning, Liz sent me a pointer to “Pentagon Creating Student Database” in the Washington Post. I said “Not blogging it. I have stupid privacy invasion fatigue.”

Apparently, I’m not alone. In “ID theft concerns grow, tools lacking,” Bob Sullivan of MSNBC reports:

Among the report’s most interesting findings: only 14 percent of consumers who were aware of their right to a congressionally-mandated free credit report said the reports were very effective in the fight against ID theft.

“The free credit report thing is basically a farce. It only tells you very specific information about your situation at a point in time,” Litan said. Consumers on the West Coast who downloaded their free report last November aren’t eligible for another year, and have had to watch the long string of data thefts with no recourse but to pay for another peek at their reports. “Everyone assumes consumers are dumb,” Litan said. “They’re not. They know these measures are ineffective.”

‘Not really a prevention tool’
Equifax spokesman David Rubinger said free credit reports were never advertised as a panacea for the identity theft problem.

“This is bearing out what Equifax has always said — free credit reports are not going to stop ID theft. They are just one tool,” he said. “The good news is there are products in private sector that can protect consumers.”

All three credit bureaus sell credit monitoring services for about $10 a month that allow daily credit report checkups.

Never advertised? Excuse me? You people fought them tooth and nail. And why should I pay $10 a month to enable their business model? So sorry, but I’d prefer to shut down all the gossip-mongers who I don’t choose to work with.

Joel Winston, an FTC lawyer who helps oversee the free credit report provision, agreed that the reports are not a panacea, but he thought the “program is working pretty well.”

“I’m a lawyer for the FTC, and I’m here to help you.”

Beth Givens, executive director of the Privacy Right Clearinghouse, said “The regulatory agencies have fallen flat on their faces. They are so industry-oriented they have lost site of who they are really supposed to be protecting.”


China’s Internet Blocking and Ethics

Rebecca MacKinnon has a post about US companies which are selling internet censorship technologies to China, “Confirmed: All Typepad blogs blocked in China:”

It’s a complicated issue. We need greater scrutiny of U.S. tech companies in China by bloggers, journalists, human rights activists, and anybody who cares about free speech and corporate accountability. We need more information about what these companies actually know when they are selling their products and services. To what extent are they actively providing service and support for uses that are clearly aimed to stifle free speech?

I’d like to ask about the ethics of such a thing. In “How about, ‘Don’t Be Evil’“, Tom Ptacek takes issue with the ISC2 Code of Ethics. ISC2 is an information security professional association. I can’t seem to find any advice in it about this situation. The closest it comes is:

Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order.

Hmmm, public saftey? Isn’t that China’s excuse for a lot of things?

In stark contrast is the ACM’s Code of Ethics. ACM is the Association of Computing Machinists, a broader professional society.

1.1 Contribute to society and human well-being.

This principle concerning the quality of life of all people affirms an obligation to protect fundamental human rights and to respect the diversity of all cultures. An essential aim of computing professionals is to minimize negative consequences of computing systems, including threats to health and safety. When designing or implementing systems, computing professionals must attempt to ensure that the products of their efforts will be used in socially responsible ways, will meet social needs, and will avoid harmful effects to health and welfare.

So, while not resolving the issue, of “May I work on a censorware program,” the ACM makes clear, and immediate, mention of human rights.

My gut belief is that it is wrong to provide deep technical assistance to he Chinese regime, and those doing so should take stock, and look for more responsible work.

Uncle Sam’s Privacy Polices (TSA, SSA)

Daniel Solove has posts on “If It’s Against Your Privacy Policy, Just Change It” (Social Security Administration):

This feeds distrust about the government’s law enforcement activities as well as makes people unsure that they are ever being given the complete story about what the government is doing with their personal data. And what good is a privacy policy if it is conveniently rewritten the minute an agency wants to do something different? I am not opining on whether or not the records ultimately should have been shared with the FBI, but the way it was done – secretly, without judicial supervision, and then kept quiet until now — strikes me as very problematic.

and “TSA’s Broken Promise About Secure Flight,” which has also been covered by Ryan Singel, “TSA: Said It Wouldn’t, Did,” but the best analysis comes from Lee Tien of the EFF, posting to Farber’s IP list:

Remarkably, I think the AP story understates the extent of the
privacy violations by TSA and its contractor.

They took 42,000 of those names and for each “created up to twenty
variations of a person’s first and last names” — then submitted
both the 42,000 real names and an extra 240,000 new names to three
commercial data brokers (Acxiom, InsightAmerica, and Qsent).

TSA didn’t say how many of these 282,000 names yielded commercial
dossiers. But it’s clear that personal information about many tens
of thousands of people who didn’t even fly in June 2004 must have
been turned over.

Not a single terrorist has been arrested after all this. The government needs to stop wasting money and invading (what little remains of) our privacy, and focus energy on undercover operations.

Trial By Fire

Tom Ptacek and Jeremy Rauch are offering a course on analyzing products, taking them from black boxes to open books. Cool! From the ad:

This class offers a behind-the-scenes tour of the product evaluation process. Renowned security experts Jeremy Rauch and Thomas Ptacek offer a crash course on the most important aspects of validating – or debunking – security product claims. We’ll show how to run a black-box test of a network security product, and provide an insiders view on how security products are designed – and marketed – to survive product bakeoffs.

From Tom’s blog post, “Shameless Commerce Division:”

The network security space alone represents over two billion dollars per year in revenue. In large enterprises, a single major deal can score a vendor over a million dollars. If you think vendors aren’t employing absolutely every weapon in their arsenal to get their gear deployed, you’re being naive.

A younger, dumber Thomas Ptacek would have railed against the vendors for this. (Maybe even gotten a bit vindictive). But an older, wiser Thomas Ptacek (shut up, anybody from Arbor) has begun to accept that maybe there’s nothing wrong with vendors being aggressive. Gag.

Maybe the problem is how hopelessly outgunned buyers and evaluators are. There’s no Consumer Reports (or better yet, Cooks Illustrated ) for security products. Those publications don’t take advertising, and spend their money on test labs (or kitchens).

I’m excited about this class. Thomas gets how to break products, and his thinking about the origin of the problem matches mine. So, hey, Tom, can I trade you some shameless marketing quote for a seat in the room?

Much like Yoda entering a room, Thomas can wave his hands contemptuously and the Imperial guards will fall lifeless to the floor. Learn how they approach new products. Secrets you won’t learn from the Sith.

Kaiser Permanente, 150 patients, $200,000 fine

Computerworld reports that “Kaiser Permanente division fined $200k for patient data breach:”

The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan, a division of Kaiser Permanente, $200,000 for exposing the confidential health information of about 150 people.

The DMHC said the information had been available on a publicly accessible Web site for as long as four years.

(There’s also an interesting story with Kaiser suing a whistleblower for bringing this to public attention, which Computerworld covers.)

“Dear Mastercard,”

Effective May 1, 2005, any compromise of my data will result in a $50 liability for you, the card issuer, owed to me, the card holder.
Cashing the payment check I sent you last month (which you did) shall constitute your acceptance of this agreement. Subsequent security breaches will compound the fee. I will spell out the terms of just how much these fees and related costs will escalate as soon as I find a typeface that is small enough.

Read Loren Steffy’s “open letter to my dearest creditor.”

Small Bits of Privacy

  • CSO has a “Do it Yourself Disclosure.” Hey, you skimped on security, you might as well skimp on the PR.
  • Wired News comes out in favor of a data protection and privacy law for the US in “Conress Must Deal with ID Theft.”
  • The Financial Times has an article on [UK] “Regulator urges tougher laws on data protection.
  • MSNBC reports on foxes lobbying to be allowed to guard the henhouse in “PIs fear limits on information access

    For their part, the large data brokers say they support identity-theft legislation but are working quietly with banks and other financial services companies — also the source of several recent breaches — to shape the bills.

  • Businessweek has a story “Lower ID theft rates abroad may aid U.S.:

    Many countries don’t use anything like Social Security numbers as universal identifiers, which serve as pass keys for criminals opening fraudulent accounts. Also, credit cards generally are harder to obtain and used less often.

    Perhaps most importantly, many countries don’t allow financial records and other data obtained on people for one purpose to be sold or shared without their consent.

    As a result, some of the record-collating done by huge U.S. companies such as ChoicePoint Inc. — one of the aggregators whose records have become fodder for ID thieves — isn’t allowed in most of Europe and Latin America.

  • Wireless Imports offers the Nokia Spyphone for $1,799. You call it from a number, and can listen in on what’s happening around the phone. Word is all vendors offer these to the police, but apparently they’re not buying enough, so the engineering cost needs to be recouped elsewhere. Thanks Human Dog!

CardSystems and Choicepoint

Choicepoint, please call your trademark attorneys. You’re in danger of becoming a generic term for “massive security breach,” and a band-aid isn’t going to fix that.

That was the lead (and about all I’d written) of a long post on Choicepoint and some bank breach. I think it was the New Jersey case. The point of the article was going to be how people know that their banks could make mistakes, and that a bank mistake wouldn’t ever be as upsetting as the Choicepoint error. But now, CardSystems Solutions has done what no bank could do. They’re taking attention away from Choicepoint, and they’re going to take more, for a while. I’d like to explain why I think this.

Firstly, this one is big. As in ten times larger than the previous record. JW mentioned to me that 40m could reasonably be expressed as a percentage of Mastercards issued. (Actually, it was 20m Mastercards, which is just short of 3% of the 698m Mastercards issued.)

Second, like Choicepoint, you have no choice about doing business with Cardsystems. You didn’t know they existed before you heard your credit card was in the hands of Russian thieves.

Third, because what was stolen was credit card data, rather than SSNs, its short lived, and the folks who have it are already under huge pressure to flip the data as many times as they can, as quickly as they can, along with the blame and the legal pressure. That means that most of the impact is going to be on credit card statements this month and next. That compression has an upside, which is no life of fear for the victims, and a downside, which is that Congress is going to be under enormous pressure to pass a law. That’s a downside because Congress legislates in haste, while we all repent at leisure.

Fourth, Cardsystems flubbed their public relations. Their story was inconsistent and confusing. Basic company facts were confused. (Are they headquartered in Tuscon, AZ, Tucson, AZ, or Atlanta, GA? Major media outlets were contradicting each other.) AZCentral tells us:

Actually, the company appears to be headquartered in suburban Atlanta, but has its processing center in Tucson. Or maybe it’s based in Tucson in the winter when executives want to play golf. It handles $15 billion in payments every year.

Finally, they violated their contract with the card providers (by storing CCVs), their CEO offered a confused story about “research purposes.” (In “Lost Credit Data Improperly Kept, Company Admits,” in the New York Times.)