"Secret Service paid TJX Hacker $75,000 a Year"

According to Wired, a convicted hacker and credit card thief was paid to work undercover for the U.S. Secret Service. A convicted accomplice told Wired that Albert Gonzalez was paid $75,000 a year in cash as a confidential informant to the U.S. Government.

Though the Secret Service would not comment, a former federal prosecutor told Wired that the payment was not unusual. He compared it to "million-dollar payouts" to informants involved in organized crime investigations. According to Department of Justice guidelines, agents are required to advise confidential informants that payments "may be taxable income that must be reported to appropriate tax authorities".

Albert Gonzalez was arrested in 2008 and accused of running one of the largest identity theft crimes in U.S. history. After his arrest Gonzalez lead instigators to more than $1 million buried behind his parent's home.

Gonzalez will be sentenced on Thursday. The government is seeking a 25 year sentence.

Attn. MPAA: There are much worse ways to copy movies than with a computer.

In 2007 prosecutors in Anchorage Alaska accused 34 year old stripper Mechele Linehan of plotting a murder based on the 1994 movie "The Last Seduction". Life so closely imitated art, said prosecutors, that they even tried to have the movie played for the jury.

Rockstar Games Grand Theft Auto

In 2008 a teenager confessed that he was trying to imitate scenes from the video game "Grand Theft Auto" when he robbed a murdered a taxicab driver in Bangkok Thailand. Movies like "The Deer Hunter" (1978) are even believed to have inspired several "copycat" suicides in the late 1970's and early 80's.

All of this may seem like fodder for censorship advocates, but that debate has largely come and gone in favor preserving the First Amendment's right to free speech. Wise as the framers of the U.S. Constitution may have been, few would accuse them of being clairvoyant. After all, who could have predicted the impact the Internet would some day have on both the precept of free speech and the concept of privacy?

Though many speak of the "right to privacy", it is not, at least as far as the U.S. Constitution is concerned, a right at all. It is, nonetheless, an ethos that has long been coveted by Americans, and is implicit in the Fourth Amendment's:

...right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures...

Of course, mention the term "search" to most people today, and it's far more likely to conjure thoughts of friends lists", home pages and e-books, than actual people, houses and papers. And while, in just the past few years, popular culture has come to embrace the sharing of intimate, private and personal details with virtual strangers, the desire to remain "secure" seems to be very much alive in the 21st Century. In fact, more than any other, the Fourth Amendment has played a central, albeit contested, role in the litigation of hi-tech criminal evidence.

I know what you watched last summer...

So, what does all this have to do with your Netflix queue? Though Americans, and many other people around the world, may be willing to voluntarily divulge personal information, either in trade for modern conveniences and services, or increasingly, for a sense of online significance, we're not quite as enthusiastic when it's taken from us and shared without any tangible return. It's no longer a secret that the monetary value of data has been pre-calculated into the return on investment (ROI) of so many of today's business models, but consumers still tend to expect a certain level of security. In recent years the bar has been set pretty low. Still, it may surprise many to learn that "anonymous" usage data can be deciphered into personally-identifiable intelligence, as proven by a pair of researchers at the University of Texas using what was thought to be anonymous user data provided to contestants in the three-year $1 million "Netflix Prize" to improve the site's recommendation results.

The UT's results brought both unwanted attention from the Federal Trade Commission and a lawsuit from a private firm, resulting in Netflix's decision last week to cancel a planned sequel to the prize awarded last year.

It's not hard to imagine how this sort of data could be exploited to peddle shoes to people who have rented all six seasons of "Sex in the City", or BestBuy ads targeted at fans of NBC's "Chuck".

Dreamworks Minority Report (2002)

It's no longer extraordinary to see similar data exploited in the process of investigating crimes either. Certainly the viewing interests and habits of the individuals mentioned above have been considered relevant discovery by law enforcement. In these cases, there's little, if anything, to decipher.  Anything that Netflix knows about you, your account, and your viewing habits, is subject to a warrant, and, with or without much imagination, could be incriminating. How many of us haven't seen a good fictional car case, a well-written murder plot, a scripted street-fight, or a perfectly executed crime? The consumption of such fiction could be hazardous to your defense, if it proceeds similar accusations.

Now, imagine the same evidence available to anyone, without a warrant, subpoena, or probable cause. Perhaps someone at the FTC had the movie "Minority Report" in their queue.

What do you call the sacrifice of one person's privacy in an attempt to save the privacy of over 1300? If you're a bank, you call it collateral damage.

When I was a kid I earned my first paycheck passing out fliers for a neighbor who was starting a pool cleaning business. With my first $13 in hand, my grandfather took me to the a bank in walking distance to my home, got me a tour of the vault from the branch manager, a neat pouch to hold all my coin, a full explanation of the principals of savings and loans, and helped me open my very first savings account. Believe it or not, back then, all my account information was stored on a double-sided index card behind the teller.

Today, things are much more complicated. Gone are the index cards and passbooks, most of the employees, tellers and branches, a good deal of the service, interest-bearing accounts with only $13 in them, and a lot of the customers' money. Today, it's all computerized, and most banks even attach various penalties to discourage human contact.

I know an awful lot about electronic data systems, but I don't pretend to fully understand how the modern banking system works. Sometimes, I think I do--from a mechanical (as opposed to financial) perspective. But then something convinces me that I don't. For instance, you know how every so often your bank emails its customers' names, addresses, Social Security numbers, and loan information to Gmail?

To be completely honest, I didn't know they did that either, until I found out recently that The Rocky Mountain Bank in Wyoming had sent 1,325 such records to the wrong Gmail account. (Mind you, most would have trouble imagining who could possibly be the right recipient.) Once the error was noticed, the bank attempted to contact the recipient to request immediate destruction of the email and its attachment. When the bank received no response, a request was made to Google for the recipient's identity. Citing its privacy policy, Google refused to provide the information requested, and the bank filed suit.

According to court documents:

"On August 12, 2009, Plaintiff received a request from one of its customers for Plaintiff to send certain loan statements to a third-party representative of that customer. That same day, an employee of Plaintiff attempted to send the requested information to the customer’s representative via email. The next day, Plaintiff discovered that its employee had inadvertently sent the email to the wrong Gmail email address. In addition, Plaintiff discovered that attached to the email was a file containing confidential customer information for 1,325 individual and business customer accounts for customers other than just the customer who requested information. The confidential information includes names, addresses, tax identification numbers, and loan information for each of the 1,325 customer accounts.

After learning of its inadvertent disclosure of confidential customer information, Plaintiff tried to recall the email without success. It then sent another email to the Gmail address, instructing the recipient to immediately delete the prior email and the attached file in its entirety without opening or reviewing it. Plaintiff also requested that the recipient contact Plaintiff to discuss his or her actions. The recipient has not responded to Plaintiff’s email."

Ironically, in a case that pits the privacy interests of innocent parties against each other, the protagonists of this story had some privacy concerns of their own. The Bank's lawyers attempted to file their suit under seal -- which was denied by the U.S. District Court. Though not mentioned in the court's ruling on this issue, most states have security breach notification laws that require disclosure of any records that may have gotten into the hands of unauthorized individuals. Wyoming does, indeed, have such a law (40-12-502. "Computer security breach; notice to affected persons"). It states:

"(a) An individual or commercial entity that conducts business in Wyoming and that owns or licenses computerized data that includes personal identifying information about a resident of Wyoming shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal identifying information has been or will be misused. If the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Wyoming resident."

While the bank was compounding errors by ignoring its obligations to its customers and state law, their case against Google was being reviewed by another judge who ordered Google to disable the account, and disclose the recipient's identity.

The Rocky Mountain Bank maintains that it contacted the recipient more than once and requested that the individual respond to requests to "discuss his or her actions". The implication is that, had the recipient responded, this whole matter could have been handled amicably and honorably -- among gentlemen, as it were. I wonder if, from the perspective of the bank, its customers, or even the email recipient, a "discussion" would have really sufficed. I know, as a bank customer, John Doe's word that he had deleted all my personal information from his Gmail account wouldn't satisfy me at all. If I were in charge of bank security, I don't think I'd be very satisfied either. In either case, I suppose I would be demanding proof that had been deleted, never copied, forwarded, or printed, and probably some kind of connotative memory-wipe.

Years ago, I was consulted by a judge after a District Attorney's office "accidentally" obtained access to a defense lawyer's hard drive (quotes inserted to cite the provided explanation, not my personal feelings about the explanation). The negotiated remedy and order was an extensive forensic search of the DA's hard drives, and a complete wipe of their contents -- even when the search turned up no conclusive evidence that the DA had ever examined any privileged materials. But I doubt any accidental recipient would agree to that -- especially a civilian. And why should they?

Of course, no one knows, at this point, if the recipient ever saw the message. Many reading this web site would likely have dismissed it, and any subsequent messages from the bank as a phishing scam. The Rocky Mountain Bank even has a link to an oddly nondescript PDF addressing the subject of phishing scams.

There's really no reason to believe that the bank ever considered litigation to be an entirely avoidable option, no matter how cooperative the recipient might have been. Nor am I convinced that the court's decision has provided any comfort to the individual's who's privacy has been sacrificed -- including the one who's email account has been disabled, and personal information shared with a bank that's already demonstrated that they can't be trusted with the information.

So, if suing Google won't assure its customers' privacy and financial security, what should the bank have done? That's an easy one. Ask any programmer. They'll tell you: The only way to fix a 1D10T error is to upgrade your wetware and reboot.

You've been punked!!!

How German filmmakers hijacked part of California, stole its identity, and used it to scam an entire country.

I think I've finally figured out the origin of the expression, "If you believe that, I've got a bridge to sell you": Bluewater, California.

The "bridge" to which I refer crosses the Colorado River, and connects Bluewater, California with its sister-city, Bluewater, Arizona. According to the city's web site, downtown Bluewater offers a range of bars and restaurants where you can dine on seafood fished from local waters, get locally-grown produce from the Farmer's Market every Wednesday and Saturday, and enjoy summer poetry in the park.

Imagine the shock when KVPK7, Bluewater's own local news channel reported that the tiny city had become the target of an attempted suicide bombing by a German rap group known as “Berlin Boys”? Who on earth could conceive of such an event hitting a small town in America?  Only Hollywood. Or, in this case, a group promoting the German film, "Short Cut to Hollywood."

The group, according to Wired, set up fake web sites for the "city" (actually, an unincorporated, and largely uninhabited, part of San Bernardino County, CA), the news station, and even a Wikipedia page further authenticating the fictitious news station. They simulated news footage, and even posted local Skype phone numbers on the fictitious web sites. After receiving a tip, journalists in Germany found the fake city web site, and used the phone numbers listed to confirm the tip and interview city officials. Those numbers, of course, went right back to the pranksters in Germany. From there, the story spread through the German press.

The hoax might have lasted longer had news agencies, hungry for additional information, not called the superseding county, San Bernardino, for comment.

Think it couldn't happen here? Well, it practically did. If a handful of German artists who know how to write web pages can fool the entire German press, it certainly doesn't bode well for the common folk who rely on them. And, if part of  California can have its identity stolen, that doesn't bode well for the rest of us either. Just imagine what could have happened if the state still had its credit rating.

By the way, anyone know the German translation for "Punk'd"?

You probably won't find much sympathy for Elane Cioni. A mistress scorned, she's been convicted of hacking into the email account of her former-boss, the man with whom she was having an affair, and then his wife, his other girlfriends, and even his kids. (I suppose, that doesn't engender much sympathy for her main-target either.) But, you might be surprised to find out Cioni's not a very good hacker.

You might also be surprised to learn that there's a market for professional hacking and, similar to many legitimate professions, the jobs are going offshore. When it comes to password hacking, those who can, do. Those who can't, outsource. When Cioni wanted back into her boyfriend's life she turned to one of an increasing number of web sites with offers like this:

"Need to monitor your Child? Your Spouse? Your Boyfriend/Girlfriend? We Hack Passwords for $100 USD. We Crack all major web based emails. This include Hotmail, Yahoo! AOL and Gmail. We Provide Proofs Before payment."

Passwords for $100

One particular web site even states: "This unique service is 100% legal".

The Washington Post conducted an interview with the FBI to find out why these services remain online. "The FBI is aware of these illegal services," spokesman Paul Bresson said, "and we have been successful in the past in identifying criminal activity and working with prosecutors to bring indictments. Users of these services should know that just because a product is marketed on the Internet doesn't mean it's legal."

While Cioni had an agenda, the same password could have granted her access to her victims' bank accounts, insurance policies--access to practically any service that allows individuals to "log in". Once access has been gained, she could have reassigned passwords, and even rerouted email communications, effectively allowing her to assume the individual's identities. Fortunately, that wasn't her agenda. But, it's unknown how many of the nation's tens-of-millions of identity theft victims had their passwords purchased.

Making a case against Cioni wasn't very difficult. Of course, it helped that she mentioned things to her boyfriend that only someone who would have read his email would have known.  And, she used her own PayPal account to pay for the password hacking service. In case that wasn't enough, IP address records were subpoenaed from her Internet Service Provider (ISP), and her computer was searched to find fragments of her targets' email cached to her hard drive.

Then again, Elane Cioni is not a very good hacker.

You can listen to below an NPR interview on this topic, and hear more about this story:

Washington Post (http://www.washingtonpost.com/wp-dyn/content/article/2009/09/06/AR2009090602238.html)

Source: Wikipedia

In a match between Bird-brain vs. broadband, you might be surprised to see who wins.

An old friend of mine pointed out what sounded like an interesting story out of South Africa. Tired of slow download speeds, a South African call center pitted a racing pigeon against Telkom South Africa Ltd.’s ADSL data service to see which could move a 4GB file faster. In total it took just under three hours for the bird to fly approximately 50 miles--about 30 times faster than the ADSL service, which had only downloaded 4% of the file in the same time.

I'm afraid we're not really comparing apapane to apapane, or even apapane to ostriches. I doubt, for instance, that the pigeon would fair quite as well over, say, a 500 or 5000 mile "data run".

The experiment, however, raises what is perhaps a more relevant conclusion: You probably couldn't find a more secure method for moving data than via carrier pigeon. While all Internet traffic is subject to both warranted, and illicit intercept and monitoring at multiple gateways, routers, interconnection points, and hosts, one would be hard pressed to serve a warrant on--or even physically intercept--a carrier pigeon. Not to mention, even if they occasionally drop a "packet", it's hard to argue with their wireless range.

It's certainly something to think about.

Thanks Ron!

More at:

Bloomberg (http://www.bloomberg.com/apps/news?pid=20601116&sid=aB5JSWQt0XYY)

News.com.au (http://www.news.com.au/technology/story/0,28348,26053119-5014239,00.html)

You're not one of those people who leave their wi-fi network open to anyone who passes by, are you? You realize, of course, that--beside the obvious security risks to your computers, your network, your passwords, email, accounting files, your bank account, private identity, maybe even sensitive medical information--that anything someone else does on your network will be traced back to you--the resident and ISP subscriber? Say, for example, the kid next door decides to use your "lightning fast DSL" to download, or worse--share--his music collection via Bit Torrent. The RIAA subpoena will be addressed to you. Or, suppose someone driving by decides to stop and explore his sexual curiosities where they can't be traced back to his network. The search warrant will be addressed to you.

But, that's not your problem, right? Because your wi-fi network is encrypted, right? I remember, back in the day, I used to brag that it would be easier to poach my cable connection from the street than hack my wi-fi, because I was using WEP encryption (cracked in 2001), a MAC filter (easily spoofed), AND I cloaked my SSID (worthless). Since then, came WPA, and more recently WPA2.

Linksys settings for WPA2 wireless secruity.

If I lost you at "lighting fast DSL", then the following probably is your problem: Computer scientists in Japan have developed a way to break the WPA encryption system used in wireless routers in just one minute. For those keeping up, presumably you upgraded your router firmware some time back, or purchased and configured a new router to utilize WPA2--which is, so far, considered to be secure.

While the availability of the hack certainly makes for a very reasonable and plausible deniability and is bound to be tested in the courts by way of a defense--especially for the purposes of challenging a search warrant--my recommendation would be to lock your wireless router, and make certain that you're using the latest Wi-Fi security protocols. If that means hiring a professional--trust me, they're cheaper than legal fees. Remember, no wireless router comes secure out-of-the-box.

Israeli scientists are declaring war on DNA evidence. According to a paper published today in the journal, Forensic Science International: Genetics, scientists in Tel Aviv have have demonstrated that it is in fact possible to fabricate DNA evidence, opening up an entirely new avenue of reasonable doubt.

As quoted to the New York Times by lead author, Dr. Dan Frumkin, “You can just engineer a crime scene. Any biology undergraduate could perform this.”

Not surprisingly, Dr. Frumkin also claims to have developed a test to distinguish real DNA from manufactured evidence, which he hopes to sell to forensic labs.

If confirmed independently, this could spell the end to what has long been regarded as a flagship of forensic evidence--at least in prime time television--and usher in an age where DNA hacking becomes the newest form of identity theft.