Author Archives: Jeremy

HD DVD Crack Gets Widespread Attention

This article is worth reading just from this tagline alone:

Last night, the AACS LA's attempts to keep an HD DVD crack under wraps backfired in a spectacular fashion. Pandora's Box is now wide open, and there's no going back now.

The problem with DRM is that they companies are doing this for entirely their benefit at the detriment of normal users. It's no wonder that the entire Internet community is against them. Now if we could only get that kind of response for RFID.

Harsh Penalties for Making a Game Map of Your School

Apparently, a student made a game map of his school and uploaded it for his friends to play on. What this means is that anyone who plays on that map could play a given game and have a virtual shootout at the school.

People have lined up on both sides of this issue saying that it was harmless and others who think it encourages school shootings. To each I ask this question, if a neighbor kid had made a game map of your house and yard where the goal was to break into the house steal, rape, and kill the people inside, would you be ok with it?

Make all the custom maps you want, but if you want to model real structures then you'd better be prepared to justify it.

(H/T to Slashdot for the link)

Consumer Affairs on Video Game Violence

I'm not ready to say that video violence leads to real violence, but I do know that fantasy violence is desensitizing (after 7 years of CSI, I don't even flinch anymore). More importantly about this article is the discussion of gamer addiction which is a very real problem and likely to get much worse.

The title is the Addictiveness of Virtual Violence, but even by admission of thier own article, it's not the violence that's addictive, but the psuedo-social aspects as well as the feeling of building something worthwhile. "If I just work another 8 hours, I'll gain a level (whee!)".

On that note, you might be interested in my article about avoiding gaming addiction while still playing the game. In my case, I play the far less popular City of Heroes (as opposed to the massive audience of WoW), but the principle still applies.

Privacy Organizations Unite Against Bush Nominee

In what is hardly news, Bush again picks a poor choice for an important position. Michael Baroody, a high-ranking member of the National Association of Manufacturers, has been nomintated as chair of the Consumer Product Safety Commission (the agency responsible for reigning in manufacturers). What exactly is it about conflict of interest that Bush doesn't understand?

Link to ConsumerAffairs article.

ID Theft Taskforce Issues Final Recommendations and Strategic Plan

On April 23rd, the ID Theft Task Force that's chaired by Alberto Gonzales (the US Attorney General) and co chaired by Deborah Platt Majores (the chairwoman of the FTC) has released their final recommendations for reducing identity theft.

Here are a few of their better recommendations:

  • Decrease the unnecessary use of social security numbers in the public sector
    For example, the federal Office of Personnel Management (OPM) has already done an internal review and realized that they were using SSNs in many cases where it wasn't necessary. They havebegun issuing employee numbers instead of just using SSNs.

    Dang straight! Stopping data rape is a very good first step.

  • Develop comprehensive record on private sector use of SSNs
    What they mean by this is that they need to study how SSNs are used in businesses to determine how much is legitimate use and how much should be stopped, controlled, or altered. They plan to have completed this study and made recommendations to the president by first quarter '08.

    Ditto above: Stopping data rape is a very good first step.

And here are some of their less-thought-out ones:

  • Educate Federal Agencies on how to Protect Their Data and Monitor Compliance With Existing Guidance
    Okay… Granted, bringing laptops home to get stolen was stupid the first time and got successively stupider as time went. Theoretically, by teaching the agencies obvious security and then monitoring compliance, we should be able to stop or reduce that particular type of data loss.

    The important point to note here is that if an agency fails to protect data properly, they will be harshly punished by having that fact noted on their PMA scorecard *rolls eyes*. What this means and what the consequences are (if any), I have no idea.

  • Ensure Effective, Risk-Based Responses to Data Breaches Suffered by Federal Agencies
    This means they're going to develop a set of guidelines on how to handle breaches and issue it to all agencies (which they've already done). The guidlines will (emphasis mine):

    set forth the factors that should be considered in deciding whether, how, and when to inform affected individuals of the loss of personal data that can contribute to identity theft, and whether to offer services such as free credit monitoring to the persons affected.

    Ugh. So they might not even tell you that they messed up by losing your data now? That's some good accountability there. And credit monitoring? Are they still going on about this? I find it so hard to trust the opinion of someone who suggests credit monitoring as any kind of response to a data breach.

  • Establish National Standards Extending Data Protection Safeguards Requirements and Breach Notification Requirements
    They want to create a national standard of safeguards that applies to all "private entities that maintain sensitive consumer information". More importantly, they say that all such entities must be required to notify law enforcement and consumers of a breach. Though this requirement would only come into effect if there was "significant risk of identity theft" due to the breach.

    Their justification for this is that consumers wouldn't want to be "overwhelmed" by breach notifications. That's crap. If a company has to send out an "overwhelming" amount of breach notifications, perhaps enough people would leave that company to make said company actually implement some security. This loophole also fails in that there's a lot of wiggle room in "significant risk". Who decides what's significant risk or not? The company? If so, I bet all breaches will be labeled "low risk".

    Ah yes, and let's not forget our favorite clause. This legislation will preempt state laws on data breaches.

Where's the Freeze recommendation?

For those who don't know my site, I am a big proponent of credit security freezes. I am severely disappointed in this final set of recommendations in that they softened the language from their initial recommendations from

For residents of states in which state law authorizes a credit freeze, consider placing a credit freeze on their credit file.7 This option is most useful when the breach includes information that can be used to open a new account, such as SSNs. A credit freeze cuts off third party access to a consumer’s credit report, thereby effectively preventing the issuance of new credit in the consumer’s name.

to

Among the state-enacted remedies without a federal counterpart is one granting consumers the right to obtain a credit freeze. Credit freezes make a consumer’s credit report inaccessible when, for example, an identity thief attempts to open an account in the victim’s name. State laws differ in several respects, including whether all consumers can obtain a freeze or only identity theft victims; whether credit reporting agencies can charge the consumer for unfreezing a file (which would be necessary when applying for credit); and the time allowed to the credit reporting agencies to unfreeze a file. These provisions are relatively new, and there is no "track record" to show how effective they are, what costs they may impose on consumers and businesses, and what features are most beneficial to consumers. An assessment of how these measures have been implemented and how effective they have been would help policy makers in considering whether a federal credit freeze law would be appropriate. Accordingly, the Task Force recommends that the FTC, with support from the Task Force member agencies, assess the impact and effectiveness of credit freeze laws, and report on the results in the first quarter of 2008.

This is very weak and isn't even a recommendation of it's own, just a sub-component of "Assess Efficacy of Tools Available to Victims". So it went from the nice, solid (and correctly worded) "effectively preventing the issuance of new credit in the consumer’s name" to "there is no 'track record' to show how effective they are, what costs they may impose on consumers and businesses, and what features are most beneficial to consumers". Ok. Sure.

I'm going to stick with my original assessment, the ID Theft Task force has failed. Yes there are consequences to businesses and commerce if we implement credit freezes. Industries that thrive on consumer debt (ie, 21st century slavery) will dry up or at least be cut down a limb or two and credit reporting companies will make less money (boo hoo).

But if the question is "what is the easiest, quickest, most effective way to curb ID theft", Credit Security Freezes are the hands-down answer.

Update

ConsumerAffairs chimes in. Note that they are the site that lists all the state credit freeze laws.

Update 9/27/2007

It looks like the credit reporting companies are starting to read the bones and pre-emptively offer credit freezes before they get legislated into having to provide it on worse terms and lower fees. Two out of three have jumped onto the bandwagon with only one holding out so far.

Vista May Knock Down Microsoft Monopoly

This is an iteresting article about how Vista, with it's poor security, lack of compatibility, high price, and integrated features that users hate (like DRM and security alerts) might make people start to seriously wonder why they're still using Windows.

I don't personally buy the argument that Linux will be the system they run to because I haven't yet seen a version of Linux that could match the user friendliness of Windows (with the possible exception of SUSE). But I'm no Linux expert. We'll have to see.

(H/T to Schneier for the link)

And on that note, be sure to check out this link for an article comparing Ubuntu Linux VS MS Vista.

Spyware to be Legalized

From the, "why, oh why, doesn't stupid hurt?" department, congress is now considering a bill similar to the CAN-SPAM act for spyware. Like the CAN-SPAM act, it doesn't actually stop anything, but rather legalizes it instead.

Let's sum up. If the Spy Act become law, hardware, software, and network vendors will be granted carte blanche to use spyware themselves to police their customers' use of their products and services. Incredibly broad exceptions will probably allow even the worst of the adware outfits to operate with legal cover. State attempts to deal with the spyware problem will be pre-empted and enforcement left up almost entirely to the FTC. Gee, what's not to like in that deal?

(H/T to Slashdot for the link)

Microsoft Claims Sender ID is Working Well

From the "consider the source" department, Microsoft is tooting their own horn about how well Sender ID prevents spam. The part about this that kills me is that if Microsoft made one stupidly obvious change to Hotmail, I would almost never open spam e-mails.

All they need to do is let me see the actual address of the sender instead of just the name. That way I wouldn't confuse barbara@realsite.com with barbara@diywehhh.du.ru (which I do because Hotmail will only show you "Barbara" as the sender for both if that's the name they entered).

Right now, it is only this ridiculous flaw that causes me to open spam messages at all. Sometimes I can't tell if a message is real or not until I do.

Montana Rejects REAL ID

While they aren't the first (even though they mysteriously claim to be).

"We also don't think that bureaucrats in Washington, D.C., ought to tell us that if we're going to get on a plane we have to carry their card, so when it's scanned through they know where you went, when you got there and when you came home," said Schweitzer, a Democrat.

(H/T to Slashdot for the link)

DNA Drive-By Accusations

If you're related to a felon or just happen to have similar DNA, the Police may come knocking at your door.

This is just one more reason why we need to fight and fight to prevent any type of collection and storage of DNA information from innoent people. I know that targetting relatives doesn't initially require DNA, but the obvious next step once they find that relative is to force a DNA sample for comparison.

I'm not certain I'm against that in some cases, but the primary question that comes to mind is, what do they do with the DNA evidence once the relative has been ruled out? Does it stay forever (likely) even though they were innocent?

(H/T to Privacy.org for the link)

Police “Book” Unruly 6 Year Olds

Tantrum turns to police record.

She flailed away at the teachers who tried to control her. She pulled one woman’s hair. She was kicking.

Unless the kid has a knife or some other kind of weapon, nothing they can do could be counted as dangerous.

Desre’e was charged with battery on a school official, which is a felony, and two misdemeanors: disruption of a school function and resisting a law enforcement officer. After a brief stay at the county jail, she was released to the custody of her mother.

So your kid has a felony and two misdemeanors on record from the time they're 6? What was wrong with the normal way, calling her mother? So now this poor girl, her mother, the community, and most of the Internet all have less respect and trust for police officers. Great work Florida.

(H/T to Schneier for the link)

California Working to Ban RFID Tagging of School Kids

From the "thank god someone is paying attention" department, California is working on a bill to ban RFID chipping kids.

Legislation approved Monday would prohibit public schools from requiring the implementation of radio-wave devices that broadcast students' personal identification and monitor their movement around campus — information the mechanical horrors could theoretically use to turn our children into livestock.

More RFID bills led by Simitian are currently being sent through California committees. One bill places a similar temporary ban on RFID technology in California driver's licenses. Another will place privacy safeguards on any existing RFID-enabled government IDs. Simitian also has led a bill that would restrict forced RFID chip implants in people.

Nice. Yeah, California!