TJX, the company that is known for having the largest data breach in history (so far), has not implemented better security and might have gotten worse. The employee that blew the whistle on them has been caught and fired for it.

TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords.

Hey! That probably means they'll find THIS page. Sweet.

If that's the case, then here's my message to them: Stop storing all that personal data about us against our will and you won't have to pay for more security. You can't lose what you don't have, duh!

This should be interesting. If China didn't take some serious precautions when implementing RFID for their tickets, we should be hearing any day now about people who remotely cloned someone else's ticket and got into the game denying access to the others.

Or, since passport information is stored on the ticket as well, someone with a scanner can find anyone from a given country should they wish to target someone based on their nationality. Let's see what happens.

(H/T to Slashdot for the link)

It's amazing and I promise it's no joke, but both congress AND Bush did something right by drafting, passing, and then signing into law the Genetic Information Nondiscrimination Act.

Some provisions of the law include:

- Prohibiting group health insurance plans and issuers offering coverage on the group or individual market from basing eligibility determinations or adjusting premiums or contributions on the basis of an individual's genetic information. Insurance companies cannot request, require or purchase the results of genetic tests, and they are prohibited from disclosing personal genetic information.

- Prohibiting issuers of Medigap policies from adjusting pricing or conditioning eligibility on the basis of genetic information. They cannot request, require or purchase the results of genetic tests, or disclose genetic information.

- Prohibiting employers from firing, refusing to hire, or otherwise discriminating with respect to compensation, terms, conditions or privileges of employment. Employers may not request, require or purchase genetic information, and they are also prohibited from disclosing personal genetic information. Similar provisions apply to employment agencies and labor organizations.

So much for the future shown by the movie Gattica.

Note that McCain would have probably vetoed it based on what I heard about him the other day.

(H/T to Slashdot for the link)

Today there was a talk about Cyberbullying that revealed some really fascinating information. Elizabeth Englander from MARC (the Massachusetts Aggression Reduction Center) game a very spirited talk with some good statistics from her group's studies.

• Grappling is the name for either staging a fight or ambushing someone and recording it to upload to Youtube later. There has been at least one suicide as a result of these attacks where a girl was attacked, stripped, and violated with the entire episode uploaded to Youtube.
• When asked what the motivation was for being a cyberbully, kids (ranging from middleschool to college) listed mostly either "because it was fun" or "because I was angry". The most interesting thing about this statistic is that it broke down almost perfectly along gender lines. Can you guess which is which? Boys did it for fun and girls because they were angry.
• There's at least one school district where the teachers have threatened to strike unless they are allowed to collect cellphones at the door. This comes out of situations like the one where the students provoked their teacher on purpose and recorded his angy reaction for upload to Youtube.

Another very interesting thing that Elizabeth said due to a question about the effectiveness of Public Service Announcements about cyberbullying was that, in her state at least, they held a contest for teens to create public service announcements that would get the message out to people of their own age. That's brilliant! As the commenter in the audience said, the "This is your brain on drugs" and "I learned it by watching you" PSAs from our youth were really more of a joke than anything. Teens are probably best equipped to create something that their peers will pay attention to.

You can find out more about MARC at their website.

Today before the first panel at the conference, I heard a presenter who had to be in his 70's or close to it say, "I feel so naked without my laptop".

And that has been today's CFP conference highlight

I was given the opportunity to give a five minute talk on any topic of my choice relating to computers, freedom, or privacy preceding the conference dinner on Wednesday. Narrowing down all the things I would want to say was difficult at first, but of course had to be nothing other than credit freezes.

It drives me nuts that there's still so few people that know about this very important tool and I made sure that at least my fellow computer, freedom, and privacy advocates and peers would know. It turns out that there were many who hadn't heard of it before. After my talk, I had many people come to ask me about more details or to tell me that they spread the word to their friends and family. One even invited me to come speak at his church at a large event he's hosting in the fall!

It's a good start.

I have been challenging the value of Lifelock for a while based on the fact that they claim to prevent ID theft, but can't. It looks like several other people have come to that conclusion and are busy suing him for as much of his millions that they can get.

The problem is that even with CNN, Wired, and Yahoo finally getting around to spreading the word, Lifelock is still going very strong.

Even though I've been chasing lifelock postings around on the net and posting comments letting people know the truth, I don't think my efforts are going to amount to much in the long-run.

That's why I've decided to challenge Todd Davis directly. He's obviously a showy type that feels comfortable challenging others so now it's time to turn the tables.

I've looked into Lifelock's features and found them useful, but far from worth the money spent. But with only one feature addition, that could all change. So let's get to it:

So there you have it. What are the odds that he'll actually respond? We shall see…

I ended up sitting next to Peter Pietra, the head of the privacy department at the TSA. This gave me an interesting opportunity to talk about issues of privacy when dealing with their agency and the first thing I asked was about the pornographic backscatter x-ray devices.

He was clearly frustrated (and I don't blame him) as I'm sure this is a topic that assaults him regularly. The issue is that backscatter CAN see through your clothes, but the TSA orders the devices preconfigured at a level that prevents them from seeing pictures such as these one on the Internet. They are also unable to modify the configuration. In fact what they actually see, as shown on their site, is smeared blob that highlights objects, but not skin.

The issue that I have here is that if the TSA's claims of how they use the technology are true, then what the hell was all the hype about?

Images will be deleted immediately once viewed and will never be stored, transmitted or printed (the passenger imaging units have zero storage capability)

Metallic and non-metallic objects are displayed, including all items that a passenger may be carrying on his/her person

Also, according to the website, you can always choose to have a pat-down instead.

I asked Peter about this because it seems to me most people aren't going to know to go to the website and read about Backscatter before being faced with it at an airport, but he said that the sample picture on the web is printed right on the machine and people are supposed to be shown the picture and told of the option for pat down prior to being scanned.

Final Thoughts

I notice that the picture on the TSA site is from behind so probably doesn't fairly show how much frontal detail they would see so for full disclosure, they should show a frontal picture. However, I can understand why someone wouldn't want to show what amounts to nudity on these machines for propriety reasons and don't necessarily consider that evasive.

What more can you ask for than clear disclosure and a reasonable choice? Granted the technology can be used for worse things, but the devices is about as small and conspicuous as a casket so you'll never be scanned without your knowledge. If they are configured correctly, store nothing, and you can opt for a pat down, then perhaps some have been too harsh on both the technology and the agency.

Speaking of, EPIC's article that led me to write about backscatter in the first place unfairly show the capabilities of backscatter ignoring the actual use of the technology by the TSA. I'm sure there's someone from EPIC around the conference somewhere and I'll be sure to ask them about it.

What TSA Sees

What EPIC Shows

Last year, credit reporting companies "voluntarily" implemented credit freezes in all states in a desperate attempt to prevent more states from passing laws with worse terms than they wanted (that's my theory anyway).

Now Georgia has passed just such a law. Starting August 1st, people will be able to freeze their credit for only $3, a full $7 less than the $10 the credit reporting companies allowed in their "voluntary" plan.

Even better:

The new law also eliminates a major objection of retailers and other grantors of instant credit: that freezing a file was too much of a hassle for someone applying for an in-store credit card or car loan on the spot. Under the law, consumers will be able to "thaw" their files temporarily, and credit bureaus are required to comply within 15 minutes of the request — a first in the country.

Good. Now they have no excuse for making the thawing process more difficult for any other state.

Today at the Computers, Freedom and Privacy Conference, we opened with statements from representatives from the Obama and McCain campaigns (Clinton declined to attend).

Obama

Daniel Weitzner from MIT represented Obama's campaign. He opened by talking about Obama's major views as they relate to privacy and technology.

Obama believes in:

• Greater accountability in government
• Keeping government information and operations open and transparent
• Citizen participation in decision making
• The appointment of a government Chief Technology Officer to oversee these types of issues

McCain

Chuck Fish, a Patent Lawyer and part of McCain's legal team came to represent his campaign.

McCain believes in:

• Promoting American innovation
• Taxing the rich is a popular idea, but it's the pursuit of riches that drives innovation
• The system should reward the behaviors that we want to reward
• We need to develop a skilled workforce
• We should very lightly regulate the market and let it take care of itself until such point as they fail
• Market regulation should focus on anti-competitive behavior

Open Questions

Next were questions asked by the moderators of the panel:

Q: "What do you see as the role of government in providing access to our basic communications infrastructure (the Internet)"

(McCain) Chuck – Can't understand his answer. Very politicalese. I'm fairly certain that he didn't answer the question, but it's hard to tell.

(Obama) Dan – Rather than focus on the infrastructure, it's important to protect the openness of the Internet. Even if we were to stay on dial-up or were years behind other countries on bringing broadband to our people, that's really secondary to protecting the nature of the Internet. He also noted that McCain's view of a self-regulating market will maintain open Internet (and I agree).

Q: "NSA Wiretapping – what would their position be on liability of carriers. What changes to Fisa"

(McCain) Chuck – "Immunity is a tough question because there's competing values. We're not talking about granting indulgences…" Again, hard to follow. Many words come out, but not much is said. The only thing he said of substance in his several minute non-answer to the question was "There needs to be hearings to find out what actually happened and what harm was actually done" which is to say that he will "look into it".

(Obama) Daniel – Obama's history and future view is to strengthen judicial review of administrative subpeonas, National Security Letters and the gag orders that accompany them. When surveillance is used, there must be real, meaningful oversight. Obama voted AGAINST retroactive immunity. McCain did not vote against them (which Dan feels is tacit approval).

Obama realizes that advanced surveillance and data mining can be important tools for national security, and they should be available, but with appropriate oversight. It's important to guard against mission creep! Woo! Someone gets it!

Q: "American companies are assisting China in censoring it's citizens. What would a given candiate do about that?"

(Obama) Dan – No official position, but if Dan had to offer advice to the campain, it would be that the lesson of the efforts in the US in the mid-90's to persuade countries to adopt an open Internet should be continued. We should open a dialogue and encourage and persuade countries to realize the benefits while using our influence to lead them towards more openness.

(McCain) Chuck – No explicit policy either. But the values that the campaign holds that would apply is to go slowly and carefully. It's always wrong to believe that you can legislate the behavior of people in other countries. Show the repressive regimes the benefits that openness provides, we will lead by example.

Open Questions

Next were open questions from the audience.

Q: "Email use by President – Will your candidate use e-mail. Does McCain know how? Will they avoid requirements to save e-mails by using other services outside of the Whitehouse?"

(McCain) Chuck – McCain does know how to use e-mail. As for avoiding requirements, you can tell from the tenor of his career that any perceived impropriety is anathema. Very little is more important for himself and country than acting honorably and keeping himself clean.

(Obama) Dan – There's a real commitment in Obama tech policy to keep government open and keep the flow of information open. Hiding e-mail wouldn't meet his commitment to open government.

Q: "Bush doesn't want to use e-mail because it becomes public record, but both of these candidates have records of believing in open government. But what will they do to keep government open?"

(McCain) Chuck – Answered by listing the example of require reporting of all data about sex offenders. He seems to have misunderstood that open government is about reporting what the GOVERNMENT is doing, not citizens.

(Obama) Dan – Bush administration has gone way overboard in classifying information. Obama called for national declassification center.

Q: "Clinton administration mandate cell companies to track users for 911. Companies are tracking all the time when powered. No legal limitations for what use can be made. Should this be protected by judicial oversight?"

(Obama) Dan – No position on that, but clear position of looking at tech capabilities that are not being addressed from a privacy perspective.

(McCain) Chuck – First ask, is there a problem and does the law already deal with it? If there was a possibility of current harm or future harm, then perhaps regulation would be appropriate, but otherwise, just trust but verify.

Q: "Net Nuetrality – How far would either of you go to live up to the view that the Internet is a tool for Democracy?"

(Obama) Dan – Obama wants to maintain openness of the Internet. Before we fight what the Internet may become, we should ask if we want to go where it's going. Do we like what it's evolving too. Either way, currently the regulatory agencies lack the power to get involved.

(McCain) Chuck – Understand Internet is important. But adverse to regulation, must have real evidence of harm. Don't want to stifle innovation.

Q: "Where do you think the burden lies for protecting information. American's must show harm? Or burden on Government that there's a justification for accessing my private information"

(McCain) Chuck – Companies always have known more about us than the government. We shouldn't have solutions seeking problems, but the opposite. Show the problem before acting.

(Obama) Dan – Increase FTC enforcement authority and budget. Too much burden on individuals to negotiate their privacy rights with whoever they deal with. Though our privacy laws are more modest than others, we've seen progress in our regulation. It's not up to normal people to protect their personal security. That's unreasonable. We don't have the time, energy, or (sometimes) capability.

Q: [my question] "Does your candidate realize the problem of Congress creating laws that over-rule stronger state laws that protect our privacy and freedom and would they have the balls to veto such a law?"

(McCain) Chuck – Clearly recognizes the importance of federalism. Always the rub whether what you have is well intentioned preemption or something else. Not the campaign's policy to over-turn what approaches of 3 centuries of preemption law. In other words, leave it to congress to make the determination of what is an appropriate level of preemption.

(Obama) Dan – No general position on preemption, but it's a right thing to keep an eye on. In other areas the benefit of some mount of federalism, but preemptive will come up. Depends on context.

Summary

This affirms in my mind that Obama is far beyond McCain in understanding privacy and technology issues. Obama wants to undo some of the damage Bush has done to us in recent years and is aware that regulatory agencies are valuable. He even believes in passing laws BEFORE there's a critical breakdown.

McCain is a fool that believes the market can regulate itself. With that alone, he's dead to me.

I'm at the Computers Freedom and Privacy conference of 2008 and I'm currently sitting in an interesting panel about something I had no idea about. I assumed that deceptive voting practices meant e-voting, but what they're actually talking about is modern-day Jim Crow laws.

I suppose I should have known better, but I wasn't aware that there were still problems with disinformation encouraging people not to vote. Often the misinformation will come in e-mail or physical mail and will seem very authentic appearing to have come from some state agency or well-known organization. They will try to discourage you from voting by telling you:

• that due to massive expected turnout, Republicans would vote on election day and Democrats the day after (thus eliminating Democratic votes from the election).
• that if you have unpaid parking tickets or child support, you'll be arrested when you go to vote
• that the polling location has changed
• that any ex-cons can't vote (note that this may be true depending on the state you're in, but be sure to check before deciding not to vote)
• that the voting registration deadline has long passed so there's no point in even trying now

There's more, but that's a start. If anyone tells you that you can't vote for some reason or that your polling location/date has changed, verify the information before acting on it!

This is one of the coolest things I've seen and the best part is that it works! Take a hard-boiled eggs, crack and then tear a little bit of the shell from the top and bottom, blow into it and it pops right out! I was making egg salad yesterday and I found this tip online and tried it right then. 7 perfect eggs in a row.

The only thing this video and others like it doesn't tell you is when to do it (when they're still warm, cooled down, etc). I looked up some info that said to take the hot egg, run it under cold water for a few seconds, and then peel normally.

I combined the two and took my hot egg, ran it under cold water for about 8 seconds, cracked the top and bottom, tore a bit off each end and blew. Perfection.

This is 50 times better than the nightmare I had peeling eggs for Easter!

If there was a disadvantage to Firefox, it would be stability and memory. Those have apparently been fixed in version 3 (due out in June), but one of the most exciting features will be Firefox's brand new speed advantage.

Mozilla VP of engineering Mike Schroepfer claims that Firefox 3 is 9.3x faster than Microsoft Internet Explorer 7 and 2.7x faster than Firefox 2 in terms of JavaScript performance. In terms of Gmail message load time, he claims Firefox 3 is 6.8x faster than IE7 and 3.8x faster than Firefox 2. And he says Firefox 3 beats Apple's Safari, which is also faster than Firefox 2.

I'm looking forward to it.

Some very interesting facts from the Crimes Against Children Research Center:

In the vast majority of Internet sex crimes against young people, offenders did not actually deceive youth about the fact that they were adults who had sexual intentions. Acknowledging that they were older, the offenders seduced youth by being understanding, sympathetic, flattering, and by appealing to young people’s interest in romance, sex and adventure.

Although cases of abduction, forcible rape and murder have occurred, they are very rare. According to research looking at crimes ending in arrest, violence occurred in only 5% of cases. In most encounters, victims meet offenders voluntarily and expect sexual activity, because they feel love or affection for the person they have been corresponding with. Typically they have sex with the adult on multiple occasions. Most of these crimes are statutory rather than forcible rapes.

Virtually all cases of Internet sex crimes involve youth 12 and up. Most victims are ages 13 – 15. Younger children have much less interest than teens in interacting with and going to meet unknown persons they have encountered online. Avoid implying that the typical youngster vulnerable to online offenders is a young child.

Research has shown that simply posting or sending some personal information online does not put youth at risk. The reason is that most young people (like most adults) do give out personal information. It is hard to be online without doing so. A warning ("Never give out personal information online") that is so broad and runs counter to such common practices is not likely to make young people trust the source of such advice.

And a set of consolidated advice:

1 ) Be smart about what you post on the Web and what you say to others. The Web is a lot more public and permanent than it seems.
2 ) Provocative and sexy names and pictures can draw attention from people you don't want in your
life.
3 ) Sexy pictures can get you into trouble with the law. If you are underage, they may be considered
child pornography, a serious crime.
4 ) Be careful what you download or look at, even for a laugh. Some of the images on the Internet are
extreme, and you can’t “unsee?? something.
5 ) Going to sex chat rooms and other sex sites may connect you with people who can harass you in
ways you don't anticipate.
6 ) Free downloads and file-sharing can put pornography on your computer that you may not want and
can be hard to get rid of . Any pornography that shows children or teens under 18 is illegal child
pornography and can get you in big trouble.
7 ) Adults who talk to you about sex online are committing a crime. So are adults who meet underage
teens for sex. Some teens think it might be fun, harmless or romantic, but it means serious trouble
for everyone. It’s best to report it.
8 ) Don't play along with people on the Web who are acting badly, taking risks and being weird. Even
if you think it's harmless and feel like you can handle it, it only encourages them and may endanger
other young people.
9 ) Report it when other people are acting weird and inappropriately or harassing you or others. It's less
trouble just to log off, but these people may be dangerous. Save the communication. Contact the site
management, your service provider, the CyberTipline or even the police.
10 ) Don't let friends influence your better judgment. If you are surfing with other kids, don't let them
pressure you to do things you ordinarily wouldn't.
11 ) Be careful if you ever go to meet someone you have gotten to know through the Internet. You may think you know them well, but they may fool you. Go with a friend. Tell your parents. Meet in a
public place. Make sure your have your cell phone and an exit plan.
12 ) Don’t harass others. People may retaliate in ways you don’t expect.
13 ) You can overestimate your ability to handle things. It may feel like you are careful, savvy, aware of dangers, and able to manage the risks you take, but there are always unknowns. Don’t risk disasters.

The above is documented in this PDF.

Lovely.

Customers in shopping centres are having their every move tracked by a new type of surveillance that listens in on the whisperings of their mobile phones.

The main point here is that business are highly interested in knowing everything they possibly can about you. The more then know, the more they can manipulate.

Just wait until everything we're carrying has an RFID chip in it. That will make their jobs so much easier.

(H/T to Slashdot for the link)

As part of a social experiment, attendees at a hacker conference in July will be issued badges with electronic tracking devices. Large displays will show in real-time where people go, with whom they associate, for how long and how often.

Hopefully after seeing how easy it is to tag and track someone with RFID, people will become more aware of what a dangerous technology this could be if we don't pass strong privacy regulations to prevent their misuse.

(H/T to Slashdot for the link)

I'm really jazzed about going to this conference. They've got some really cool events lined up like:

Hate Speech and Oppression in Cyberspace

Kids taunting classmates (with resulting emotional scars and even suicide); harassment, stalking, and death threats; and organized and race-, gender-, religion-based hate groups; prominent bloggers like Kathy Sierra and Blackamazon have take their blogs down after death threats or attacks … along with all its promise and power of cyberspace, the Internet also distributes words and images of hate that often lead to real-world violence.

And

Activism and Education Using Social Network

We plan on examining several different types of social networks. Some of these networks are geared toward sending out 'news blasts' to your network of friends, while others support having a much deeper conversation about the topic at hand. Protest groups on Facebook can quickly grow to over a million people– and lead to millions demonstrating in the real world. New technology such as "causes," now available both on Facebook and MySpace, allows for fundraising and eases recruiting. Easy sharing can increase the viral spread of videos and web pages. Innovative mashups like those promoted by Netsquared with their Mashup Challenge make information and calls to action more easily available to more people. We'll survey the available functionality and describe how to use the different variants for education and activism activities, as well as giving tips on how to become part of the particlar social network community that the participant is interested in.

The program is here, but you only have a few more days to sign up so get on it!

Using only a photocopy of a driver's license and a social security number, James Harman bought over 3 million dollars worth of goods in his brother's name.

The most important point to this story? It wouldn't have happend in the first place if he'd had a credit freeze, but it still would have even if he'd had any kind of monitoring or insurance plan (even Lifelock).

There have been a rash of really good superhero movies recently with the most current being the much-touted Iron Man (which I've yet to see so don't spoil it!) and Batman Begins (not only the best Batman movie ever, but one of the best movies ever made in my opinion).

One question that always pops into our minds (ok, my mind) when watching these movies is, how cool would it be to have that power? How cool would it be to have a super-power at all! But what super-power would be best?

Well today, I give you that answer.

I thought long and hard about what powers would be most useful and powerful and there's many to choose from (Telekinesis, Mind-Reading, Shapeshifting, Illusion, and on and on). The problem is that each has a weakness or a situation that renders it useless.

Illusions don't work on machines and won't help you stop a bullet or save your darling as she plummets to her death from a tall building. So maybe go to Telekinesis to save your falling damsel, stop the bullet, and toss those robotic enforcers across the horizon, but then what about that secret poison needle that your "darling" is planning to betray you with? Mind-reading will come in very handy here, but is no good for attack dogs, Mexican wrestlers, or being pushed out of an Airplane. You see how this can go on for a while…

Anyway, after long and hard deliberation, I've come up with a power that would fit nearly every need and be useful for everything from falling pianos to sticking your foot in your mouth. Undo.

That's right, undo. Imagine:

Think of the possibilities!

And it doesn't have to be just once. If you turn down a street and get mugged only to undo and try a different street and get mugged again, go back a little earlier to when you left the hotel and take a cab instead.

If there's a limit to how far you can go, it's based mostly on how much of your life you want to relive. Maybe you just want to try the whole day over again. Maybe you made a horrible mistake a week ago, but didn't realize it until just now. Maybe you developed cancer months ago and if they had known then, you'd have survived. UNDO!

The Super-hero Gig

Maybe you can't stop a bank robbery, but you'd be able to call the SWAT team in at just the right time. Maybe you can't stop a meteor from coming down on your house, but you can back up a week and say, "Let's move! RIGHT NOW". You can't stop the violence in Iraq, but you could certainly help as an informant and keep yourself from getting killed if you went there.

Sure you don't get the glory of being in tights and impressing the all the chicks, but you'll never have to worry about missing a deadline, saying the wrong thing, being in the wrong place, or betting on the wrong horse.

The only two questions left are, what do you call yourself and is there any type of super-villain that could defeat you?

There are some companies that seem to be making videos for YouTube that don't specifically mention any products, but feature the products prominently none-the-less. At least one person has noticed the trend and reported on it in at least two videos, one that has already been proven to be an ad and the other only just released.

Obviously the new ad has the same goals as the old: to market a product without actually naming it, by appealing to the public's love of Internet stunt videos.

I don't really have a problem with this. They're getting attention for the product with legitimate interesting videos. Whether a pro company made it or not, the stunts are pretty interesting and people are watching it for that. Assuming they're not trying to give the impression that these are amateur videos anyway.