Category: Current Events

National breach list? Pinch me!

H.R. 3997, the Financial Data Protection Act, is one of the many pieces of legislation proposed in the US to deal with identity theft or notification of security breaches. It was approved by the Financial Services Committee of the House of Representatives on 3/16.
I haven’t read the full text of the bill (and it has been roundly criticized by folks whose opinions I trust) but I was happy to see this in the press release from the commitee:

An amendment offered by Rep. Barbara Lee (CA) would require the Federal Trade Commission to coordinate with other government entities to create a publicly available list of data security breaches that have triggered a notice to consumers within a twelve month period.

Another piece of legislation, which has been received rather better by privacy advocates and consumer rights groups, is the Data Accountability and Trust Act. Guess what? It also requires central reporting of breaches:

Any person engaged in interstate commerce that owns or possesses data in electronic form containing personal information shall, following the discovery of a breach of security of the system maintained by such person that contains such data–
[…]
(2) notify the [Federal Trade] Commission;
[…]
The Commission shall place, in a clear and conspicuous location on its Internet website, a notice of any breach of security that is reported to the Commission under subsection (a)(2).

I am happy to see these elements make their way into national legislation.

NJ prosecutor reports debit card ring has been busted

Story at CNET.
In related news, OfficeMax says there’s no evidence they were broken into, and back it up with help of outside experts.
I’m done being a Kremlinologist on this one, for now. With as little solid info as
has made it into the press, it’s just not worth it. Perhaps some facts will come out when and if the prosecutor is successful in obtaining an indictment (if a grand jury will even be used — IANAL).

Metadata strike again!

Brian Krebs wrote about a botnet and the 733t d00d who ran one, nom de hack 0x80. Well, turns out the doctored on-line photo the Washington Post ran contained metadata identifying the gentleman’s rather small home town. Coupled with information in Krebs’ article concerning businesses near 0x80’s residence, identifying the young criminal would seem a foregone conclusion.
The Inquirer reports further.

Thoughts on Farris Hassan, the 'Iraq Teenager'

farris-hassan.jpgIf you haven’t read about Farris Hassan and his trip, take a minute to do so. He flew to Iraq to learn what was going on.

I’d like to start by congratulating the teachers at Pine Crest School. How often, today, are teachers so inspiring? The goal of school should be to develop both a deep thirst for knowledge, and the skills and techniques to obtain that knowledge. (I had many such great teachers. I even took classes with some of them.) The wisdom to assess strategies for learning must come from both the schools, and more importantly, the parents. Before I get to the parents, I’d like to mention the Pine Crest President’s message which says “On your journey, you will hear our youngest students being inquisitive, digging deeper than you would think possible…” Indeed.

Now, as to his parents, I’ll let them speak for themselves: “‘I’m going to hug him. He’s my little angel,’ his mother, Shatha Atiya, said Friday after learning he was on his way home.”

" L'état c'est moi"

Via USA Today:

Days after the Sept. 11 attacks, the head of the National Security Agency met his workforce at the nation’s eavesdropping and code-breaking headquarters at Fort Meade, Md., near Washington, for a pep talk.
“I told them that free people always had to decide where to draw the line between their liberty and their security,” Air Force Gen. Michael Hayden told lawmakers a year later. “I noted that the attacks would almost certainly push us as a nation more toward security.”
Within weeks of Hayden’s talk, Bush did just that

(emphasis mine)

Here's to you, New York…

From New York’s Information Security Breach and Notification Act:

7. (A) IN THE EVENT THAT ANY NEW YORK RESIDENTS ARE TO BE NOTIFIED AT
ONE TIME, THE PERSON OR BUSINESS SHALL NOTIFY THE STATE ATTORNEY GENER-
AL, THE CONSUMER PROTECTION BOARD, AND THE STATE OFFICE OF CYBER SECURI-
TY AND CRITICAL INFRASTRUCTURE COORDINATION
AS TO THE TIMING, CONTENT
AND DISTRIBUTION OF THE NOTICES AND APPROXIMATE NUMBER OF AFFECTED
PERSONS. SUCH NOTICE SHALL BE MADE WITHOUT DELAYING NOTICE TO AFFECTED
NEW YORK RESIDENTS.

(bold mine, caps in original)
Would that every state’s breach disclosure law had such a central reporting requirement. As Emil Faber memorably put it, “Knowledge is good”.

Navigation