130 Million Credit and Debit Card Numbers Stolen

130 million sure sounds like a lot, but keep in mind how many individual transactions companies like 7-eleven have in a single day. Besides wondering why the company security was so weak, I'm more interested in why these companies had so many credit card numbers on file in the first place. Once my transaction is complete, they shouldn't possess the data anymore.

Symantec Partners with Lifelock

Wow. Symantec has always been a fairly reputable company that I've had little issue with other than that their security software is historically bloated and a resource hog. But now that they've partnered with Lifelock, I can only assume one of two things: Symantec is willing to throw their customers under the bus for money or they have no quality control. Either way, I think it's definitely time to stick with McAfee.

If you want to stay safe while working on your computer or browsing web sites, you can get Norton Internet Security or Norton AntiVirus with a 30-day LifeBook service and 10% off the subscription, along with two movie tickets. After the trial period ends you will be charged automatically with $9 a month, or $99 annually.

Granted, McAfee also does this "free trial" BS in order to trick customers into subscriptions that they didn't know they were getting, but at least the free trial is for their anti-virus software and not some shady ID theft insurance deal.

RFID In ID Cards Still a BIG Problem and Getting Worse

"There's a reason you don't wear your Social Security number across your T-shirt," Albrecht says, "and beaming out your new, national RFID number in a 30-foot radius would be far worse."

There are no federal laws against the surreptitious skimming of Americans' RFID numbers, so it won't be long before people seek to profit from this, says Bruce Schneier, an author and chief security officer at BT, the British telecommunications operator.

Data brokers that compile computer dossiers on millions of individuals from public records, credit applications and other sources "will certainly maintain databases of RFID numbers and associated people," he says. "They'd do a disservice to their stockholders if they didn't."

Or put simply, everyone knows that this is scary beyond reason and we need to do something now BEFORE it's a problem.

Here is some more information from the source article:

In its October 2005 Federal Register notice, the State Department reassured Americans that the e-passport's chip — the ISO 14443 tag — would emit radio waves only within a 4-inch radius, making it tougher to hack.

Technologists in Israel and England, however, soon found otherwise. In May 2006, at the University of Tel Aviv, researchers cobbled together $110 worth of parts from hobbyists kits and directly skimmed an encrypted tag from several feet away. At the University of Cambridge, a student showed that a transmission between an e-passport and a legitimate reader could be intercepted from 160 feet.

The article also mentions a video that shows the results of his experiment. I was able to find it HERE.

Lifelock Loses Court Battle and Two Bullet Points

Lifelock was sued by Experian for placing fraud alerts for anyone and everyone when the alerts are supposed to be set by individuals themselves and only when they feel they are at risk for ID theft. While I think the whole fraud alert system is bogus and it doesn't really matter if you set one or not, I can't help but snicker that the courts ruled that the practice of a 3rd party company setting them for customers (like Lifelock does) is not legal.

Considering that the first 2 bullet points on Lifelock's "what we do" page is "set fraud alerts" and "set them again after they expire", their list of what you supposedly get for the money you pay is going to look quite anemic indeed.

Seaworld Data-Raping Customers’ Fingerprints

I understand that using a word like rape to describe companies that take data from people against their will is a bit coarse, but it's exactly how I feel. I found out this weekend that a friend of mine had his and his wife's fingerprints taken from them by Seaworld before they were allowed to go into the park.

Though you might say "He could have just left", he had already bought a two-day pass for him and his family and invested a significant amount of time and money in the trip. Besides, no one should have to be treated like a criminal just because a theme park is concerned about a few dishonest people who are sharing passes. They could just as easily print their photos on every person's pass which would be even more efficient without the privacy issue.

I can't stand the trends that some of these places are setting and I hope they don't get away with it. If we're lucky, the ACLU or state of California are already looking into this issue.

China Bans Gold Farming

While playing online games like World of Warcraft and similar, you find advertisements for people who will get you rare items or in-game money (gold) for a fee. These so-called "gold-farmers" are often employed in different countries like China.

Well, China took note and passed a ban on gold farming based on the idea that the economy of large online games could affect the real economy negatively.

Whatever the reason, I think that getting rid of the farmers will have a positive effect on the games themselves and I hope we see more of this in the future.

Anti-Stab Knife

I can't think of a reason why this isn't a good idea. Who needs large kitchen knives to have pointed ends anyway. I hate carrying the things around for the risk of turning around and someone standing there. Granted I can just be very careful to point the thing down when I'm in the kitchen, but then when I drop it, the pointed end is aimed right at my foot.

Regardless of how unrealistic you think my scenarios are, an anti-stab knife would reduce the risk significantly. It's interesting at the least.

(H/T to Schneier's Blog for the link)

Acai Berry Company Ripoff Exposed

Whether this Acai berry has any useful properties or not, when people purchased the "risk-free trial offer" ended up getting charged for tons of extras based on the sneaky way that the company set up their online purchasing system. Customers had to actively find and de-select options for upsell products and add-ons that were selected by default. Anyone that failed to notice them was charged.

Be careful when dealing with infomercial and snazzy website ads for products that claim much, but deliver little. Particularly in the case of food, drinks, or medicines where you won't be able to see the truth of the claims for years (if ever).

Man Facing Child Porn Charges for Photoshopped Images

Check out this story:

A Tennessee man is facing charges of aggravated sexual exploitation of a minor for what authorities say are three pictures — none of them featuring an actual child's body.

Instead, according to testimony presented at Michael Wayne Campbell's preliminary hearing in Chattanooga, Tennessee, on Wednesday, the photos feature the faces of three young girls placed on the nude bodies of adult females, CNN affiliate WDEF reported.

The supreme court has already ruled that when no child is actually harmed, it's not a crime and I agree with that ruling. As distasteful as I may think it is, what someone does in their own home that harms absolutely no one and has no potential for harming anyone isn't really any of my business.

If this kind of thing continues should we start prosecuting people who look at other types of extreme porn even if there's no victim? Should anyone looking at porn who's married be prosecuted for adultery? There is an argument that sometimes it's hard to tell the age of the participants and in extreme porn whether or not someone is actually getting hurt (ala the film 8mm), but there have even been cases of people getting in trouble for cartoon and computer generated porn where there's no possibility of a live person being hurt. I won't say that I'm completely decided on this issue, but right now I think that this trend is going just a little too far into the "thought police" arena.

Bruce Schneier on TSA Security

Here is an excellent short essay on how to fix airport security and restore a bit of our dignity and rights at the airports:

Fixing Airport Security

Also be aware that the TSA is making significant strides backwards when it comes to whole body imaging. Where they used to be looking at technology that wasn't as privacy invasive, they've now started making a major push for what some are calling a digital strip search. The most important issue here is that the scanners are being planned as a replacement for metal detectors which means you'd have no choice but to bare all for the TSA.

Bring on the tinfoil underwear…

City in Montana Demands Your Login Details to be Hired

This is so wrong, I barely know what to say. I sure hope this trend doesn't start to catch on, because a lot of people would give up the information when they're pressured instead of doing the right thing and refusing.

"Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc." the form reads. But Bozeman isn't simply interested in finding out where to look for potentially embarrassing personal details; the city wants full disclosure, since the form demands username and password information for each.

This is way worse than all those sickening social networking sites asking for your e-mail address password.

Update

Here is the contact information for the relevant people in the city if you want to ask them why they thought this would be a good idea.

And just in case someone were to change the form, here's a copy of the original found on their website:

This is for real... they actually expect you to give up your account details!
This is for real... they actually expect you to give up your account details!

RIAA Appeal Goes Bad

A mother of 4 who was hit with a massive fee for sharing music online a while back finally won a new trial, but somehow ended up with a fine almost 10 times as high!

Even though there was no proof of any harm done to the recording companies since there's no way for them to show that anyone actually downloaded any music from her, she was slapped with a nearly 2 million dollar fine for her immense crimes (which were never proven).

Even if 100,000 people had downloaded each of the 24 songs she supposedly shared online (which probably wasn't even intentional as filesharing software generally shares what you download by default), that doesn't translate to direct financial loss to the recording companies anyway! This is a tragedy and I don't understand it. At best, it might be a judge's way of getting attention on the issue by pushing the verdict to absurd extremes.

Anti-virus Companies Get Slapped with Fees for Resubscribing People

The most important part of this story is that there was notice provided to customers of the resubscriptions, but because it was buried in the license agreement, the courts determined that the subscriptions were charged without consent.

The investigators found that "information about automatic renewal charges was not clearly disclosed, but was instead hidden at the bottom of long web pages or in the fine print of license agreements".

The companies have now agreed to provide electronic notification both before and after the renewal of subscriptions. Customers will also be allowed to apply for refunds for up to 60 days after being charged.

Just because it's in a contract, doesn't mean someone understands it. Companies have enormous leverage against regular people and it's nice to see that courts are standing up for the little guy.

CFP 2009 – Privacy By Design

In today's afternoon session, a privacy commissioner from Canada gave a talk about the importance of "Privacy by Design" which refers to the concept of building privacy technologies into systems and devices during the design phase. Only then can things like surveillance cameras be implemented safely because they have been rendered incapable of collecting data or details that would be privacy invasive.

Her concept is similar to the concept of building security into devices during design instead of later after they've been fully created and it's a very good point.

CFP 2009 – Data Collection on Consumers

The panel this morning consists of members of the FTC, Google, and Microsoft and the subject is profiling people online.

There are so many questions I want to ask such as why Google stores data for so long (which they've avoided answering before) and why the FTC doesn't promote credit freezes (which they've avoided answering before).

In the meantime, there's talk about the different types of data collection each group does and the standard rigamarole about customizing and targeting advertisements as if that's helpful to the end user. Granted having ads that are more appropriate are more useful than less, but I see that as the same as having a neighbor down the street that you hardly know bring you a box of your favorite beef jerky. It's nice, but damned creepy when someone knows that much about you when you don't know who they are, what their intentions are, and how much else they know about you.

I stood up to lecture the panel on the fact that personalized ads aren't necessary for small sites to exist if they use the product recommendation method versus random ad policy like me, opt-out is an unfair business practice since it requires that people become very knowledgeable about ads and how to stop them which is near impossible for regular people, and opt-in is not only necessary, it's easy.

I doubt the information I shared will have any positive effect on the industry, but it was still worth a try.