Author Archives: Jeremy

TJ Maxx and Marshalls Hacked (Yawn)

In a not so surprising story, some large chain stores have been hacked and had their databases of customer information stolen creating a risk for thier customers.

The end result is that consumers are often left completely in the dark when data breaches occur, wondering if they dodged a bullet, or if the inconvenience and frustration of fraud is simply waiting to hit them at a later date.

I hate these stories. If they didn't data rape people in the first place, this wouldn't even be a problem.

See!? That’s What We’ve Been Saying!

In the Washington Post was a nice article explaining how even a normal average citizen can be tracked during her whole day through technology that exists right now. From the article:

Domino's tracks her name, phone number, address, and size and type of pizza ordered. Unless a store decides otherwise, the data are held forever. That way, Domino's can provide more personalized service — "Hi, Ms. Bernard, would you like your regular — mushroom and sausage?"

This is classic data rape. She didn't ask them to store it, and they didn't ask her permission, they just took it. No company should be allowed to do this.

Bernard's credit card companies know her income and her shopping habits. They can share her information with affiliates without her permission and need not stop even if she asks them to.

Cheery.

I also found interesting the section talking about RFID. I was happy to see that they included the information about how RFID can be hacked.

Best Buy Fights the Devil

Sixwise gives and in-depth review of Best Buy's plan to "actively…eliminate " what they call "devil" customers. I've written about this before, but I like how they list specific actions that could land you on the "blacklist".

Most notably, this is the advent of "customer reports" similar to credit reports where you will be assigned a number based on profitablity and treated accordingly. If you don't want to see that happen, make sure you let your legislation know.

Pretexting Becomes Illegal

From the Ars Technica article:

Under the new law, anyone attempting to "knowingly and intentionally" acquire the phone records of a third party by making false representations to a phone company or selling such illegally obtained records will face up to ten years in prison and fines.

Is it just me or does this seem really wrong? Why did we have to make a law about this? Wasn't it obviously a bad thing already?

FBI Aren’t Snooping Alone – CIA and Military Take and Keep Info

Just so we can feel a little more warm and fuzzy about our government, here's a snippet from Ars Technica about how it's not just the FBI abusing power these days. From the article:

Wired's Ryan Singel adds a bit more to the story with the tidbit that the Pentagon plans to hang on to the records and feed them into TALON, the database project that the military uses for the data-mining part of its anti-terrorism efforts. Great! This is especially encouraging in light of the comments of Pentagon officials quoted by the Times who claim that these records are typically used to knock names off of the suspects list. In other words, they look at the records, determine that Mr. Smith is completely innocent, has no ties to terror, and got his money legitimately, then they promptly feed his data into an anti-terror database.

I guess that innocent until proven guilty thing isn't good enough anymore.

Federal Trade Commission Seeks Public Comment on ID Theft

From the FTC website:

Notice for public comment: The Federal Identity Theft Task Force, chaired by Attorney General Alberto R. Gonzales and co-chaired by Federal Trade Commission Chairman Deborah Platt Majoras, is seeking public comment on ways to improve the effectiveness and efficiency of federal government efforts to reduce identity theft.

What could I tell them about? Hmm… Let's see… Oh! How about how easy it would be to reduce ID Theft with a good Credit Security Freeze law? How about how we desperately need strong, swift protection against data mining and sharing companies?

It's fairly simple really. First we need better control of our data and second, we need to limit what can be done with the data once it's been breached.

The e-mail address to write to is hidden in a document, so here it is "Taskforcecomments AT idtheft.gov" (@ replaced to prevent bot Spam). Be sure the subject is "Identity Theft Task Force" and that you include contact information. They prefer that the substance of your comments be in WordPerfect, MS Word or PDF format as an attachment.

See my submission here

PASS Card Has RFID Too

EPIC reports that the Department of Homeland Security is creating a passport-like system that will be required for travelers between the US, Canada, Mexico, the Caribbean, and Bermuda. This "passport" will contain RFID and very little security. From the article:

The federal government has been increasingly using RFID technology in its identification documents. The Department of Homeland security last year began using RFID-enabled I-94 forms in its United States Visitor and Immigrant Status Indicator Technology (“US-VISIT ?) program to track the entry and exit of visitors.19 This year, the State Department began issuing RFID-enabled passports to U.S. citizens.20 Only 23% of U.S. citizens have passports.21 Therefore, under the Western Hemisphere Travel Initiative, U.S. citizens would have to carry either a passport, which costs $97 for first-time applicants, or a PASS card. As the proposed Western Hemisphere Travel Initiative PASS card, U.S. passport, and US-VISIT I-94 entry and exit forms all contain RFID chips, if the PASS card proposal is adopted, then all U.S. citizens carrying either a passport or PASS card and visitors entering the country through US-VISIT will be able to be tracked using RFID technology.

Spy Coins?

CNN posted an article about tiny transmitters embedded in some Canadian coins and planted on contractors with security clearance. From the article:

In a U.S. government warning high on the creepiness scale, the Defense Department cautioned its American contractors over what it described as a new espionage threat: Canadian coins with tiny radio frequency transmitters hidden inside

Experts were astonished about the disclosure and the novel tracking technique…

Okaaaaay…. So, this is "creepy", and "novel"? First of all, coins can be given away very easily thus defeating the point of tracking the recipient. Second, the metal of the coin will inhibit the transmitters. Third, tracking technology already exists and is being used now. It's called RFID (aka Spychips) and if we allow businesses to put it into our clothes or ourselves, the spies would have a much easier time of tracking us.

City Surveillance Cameras Show Slaying

Schneier reports on a murder that was captured on a city camera system. He clearly thinks that such systems are pointless though the article seems to present it as being good (it caught a thief after all).

By using the worst possible scenario, however unlikely, it becomes easy to scare people into supporting something you personally want. When it comes to camera systems everywhere, remember this: absolute security can be acheived through absolute surveillance. This is true, but absolute surveillance also brings zero privacy and freedom.

Making it seem like giving up freedom for security is a marketing plot by those who falsely believe in a big-brother society. Bush has proven again and again that only with public review of the government can there truly be freedom.

How’s The Cloned Meat Taste?

Sixwise reports on the FDA approval of cloned meat and milk. Most notably, there will be no notification required. Quoted from the article:

"When they deny us mandatory labels, they don't just deny us the right to choose," said Andrew Kimbrell, executive director of the Center for Food Safety (CFS). "They also deny our health professionals the ability to trace potential toxic or allergic reactions to this food. It's bad enough they're making us guinea pigs. But when we have health effects, we won't be able to trace it."

And they wonder why there's no consumer confidence anymore.

E-voting in Trouble Again

According to EFF:

Colorado-based Ciber, Inc., the largest laboratory that tests software used in U.S. voting systems, has been temporarily banned from approving new systems following problems discovered last summer by the Election Assistance Commission (EAC).

The EAC found that Ciber was not following proper quality-
control procedures and could not document that it was
conducting all the required tests. Ciber's renewed petition
for accreditation is currently under EAC review.

It's such a sad, sick state of affairs that these systems were implemented with so little oversight, planning, or accountability. When all is said and done, e-voting is not ready. Hopefully the dreary mess they made of it this year will spur some positive action for the coming years.

Government Will (Finally) Encrypt All Laptops

Schneier reports that the government will begin encrypting all laptops. This is in response to case after case of stolen laptops leading to loss of personal data such as in the case with the Veterans Administration.

Considering that the typical response is to offer worthless credit monitoring services to make it look like they're doing something when they're actually not, this is a welcome change.

Now if only they'll hold employees accountable for keeping the key/token/passwords in the same bag with the laptop…

Sony Settles for $4.5 Million for their Illegal CD-Virus

Consumer Affairs reports a settlement with 39 states for Sony's use of a "rootkit" to try and prevent users from copying their music. This forced DRM was detected by computer experts and quickly raised a stir.

Most importantly,

Sony said it was "pleased" with the settlement and said it would stop using copy-protection software that cannot be easily removed from consumers' PCs

Which means they won't stop, they'll just stop trying to do it secretly and make it a condition for using the CD in a computer.

New State Laws Allow Security Freezes

According to Consumer Affairs, Hawaii, Kansas, New Hampshire, Oklahoma, Pennsylvania, Rhode Island and Wisconsin now have credit security freeze laws. However, it sounds as if you must be a victim before you can use the law (which is really, really stupid). A friend said once that this is like having to wear a seatbelt, but only after you've been in a car wreck. Sounds like a good analogy to me.

Microsoft Finally Adds Stupidly Obvious Security Feature

The Washington Post reports that IE 7 will not have the long known flaw that allows a website to steal the data that may be hanging out in your clipboard.

For those who don't know, the clipboard is where anything you cut and paste hangs out. The trick is, it stays there until you cut or copy something else. So, if the last thing you copied was your tax record from one document to another and then you visit a nosy website, they could have all that data.

If it seems as stupid to you as it does to me that IE allowed this in the first place, then you'll understand why security people like me knock Microsoft all the time (this is hardly the first or last instance of this kind of thing).

For another example, see this article, under the heading of Macro Viruses.