Disgruntled Hacker [Debt Collector] Disables More Than 100 Cars Remotely

Pay Technology's Webtech Plus

Cleveland-based Pay Technologies is a company that sells hidden wireless black boxes that allow car dealers to remotely disable a car’s ignition, or trigger the horn to begin honking, as a not-so-gentle reminder that a payment is due. The Webtech Plus responds to commands issued through a central website, and relayed over a wireless pager network.

A car dealer in Austin Texas began receiving complaints from hundreds of stranded customers late last month. According to the dealership's manager, the complaints stopped several days later, when he reset all the Webtech Plus employee passwords. Then police obtained access logs from Pay Technologies, and traced an IP address to a former employee. Police say he hacked into the dealership's computer system to deactivate the starters on the cars and set off their horns.

To call the suspect a "hacker" is really an insult to hackers. On the other hand, anyone who's ever spoken with a debt collector probably isn't very surprised by allegations of unethical behavior.

According to the dealership, the employee's account had been closed when he was terminated last month, but they allege he got in through another employee’s account. They claim he was working his way alphabetically through a database of all 1,100 customers whose cars were equipped with the device.

Attn. MPAA: There are much worse ways to copy movies than with a computer.

In 2007 prosecutors in Anchorage Alaska accused 34 year old stripper Mechele Linehan of plotting a murder based on the 1994 movie "The Last Seduction". Life so closely imitated art, said prosecutors, that they even tried to have the movie played for the jury.

Rockstar Games Grand Theft Auto

In 2008 a teenager confessed that he was trying to imitate scenes from the video game "Grand Theft Auto" when he robbed a murdered a taxicab driver in Bangkok Thailand. Movies like "The Deer Hunter" (1978) are even believed to have inspired several "copycat" suicides in the late 1970's and early 80's.

All of this may seem like fodder for censorship advocates, but that debate has largely come and gone in favor preserving the First Amendment's right to free speech. Wise as the framers of the U.S. Constitution may have been, few would accuse them of being clairvoyant. After all, who could have predicted the impact the Internet would some day have on both the precept of free speech and the concept of privacy?

Though many speak of the "right to privacy", it is not, at least as far as the U.S. Constitution is concerned, a right at all. It is, nonetheless, an ethos that has long been coveted by Americans, and is implicit in the Fourth Amendment's:

...right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures...

Of course, mention the term "search" to most people today, and it's far more likely to conjure thoughts of friends lists", home pages and e-books, than actual people, houses and papers. And while, in just the past few years, popular culture has come to embrace the sharing of intimate, private and personal details with virtual strangers, the desire to remain "secure" seems to be very much alive in the 21st Century. In fact, more than any other, the Fourth Amendment has played a central, albeit contested, role in the litigation of hi-tech criminal evidence.

I know what you watched last summer...

So, what does all this have to do with your Netflix queue? Though Americans, and many other people around the world, may be willing to voluntarily divulge personal information, either in trade for modern conveniences and services, or increasingly, for a sense of online significance, we're not quite as enthusiastic when it's taken from us and shared without any tangible return. It's no longer a secret that the monetary value of data has been pre-calculated into the return on investment (ROI) of so many of today's business models, but consumers still tend to expect a certain level of security. In recent years the bar has been set pretty low. Still, it may surprise many to learn that "anonymous" usage data can be deciphered into personally-identifiable intelligence, as proven by a pair of researchers at the University of Texas using what was thought to be anonymous user data provided to contestants in the three-year $1 million "Netflix Prize" to improve the site's recommendation results.

The UT's results brought both unwanted attention from the Federal Trade Commission and a lawsuit from a private firm, resulting in Netflix's decision last week to cancel a planned sequel to the prize awarded last year.

It's not hard to imagine how this sort of data could be exploited to peddle shoes to people who have rented all six seasons of "Sex in the City", or BestBuy ads targeted at fans of NBC's "Chuck".

Dreamworks Minority Report (2002)

It's no longer extraordinary to see similar data exploited in the process of investigating crimes either. Certainly the viewing interests and habits of the individuals mentioned above have been considered relevant discovery by law enforcement. In these cases, there's little, if anything, to decipher.  Anything that Netflix knows about you, your account, and your viewing habits, is subject to a warrant, and, with or without much imagination, could be incriminating. How many of us haven't seen a good fictional car case, a well-written murder plot, a scripted street-fight, or a perfectly executed crime? The consumption of such fiction could be hazardous to your defense, if it proceeds similar accusations.

Now, imagine the same evidence available to anyone, without a warrant, subpoena, or probable cause. Perhaps someone at the FTC had the movie "Minority Report" in their queue.

WARNING: Portions of this video may be disturbing to automotive enthusiasts.

A brother and sister from Diamond Bar were arrested on suspicion of insurance fraud after investigators found a video on the Internet that appears to show their high-performance 2009 Nissan GT-R sports car crashing during a street race.

Investigators say Jay Chen, 21 from Diamond Bar, California first reported to his insurance company that his sister crashed his 2009 Nissan GT-R supercar on the 10 Freeway on March 16, 2009, but later withdrew the claim. They say his sister, Tracy Chen, corroborated the story. Months later, according to insurance investigators, Chen filed another claim (estimated at $76,000 in damage), saying that he had crashed the same car on the 60 Freeway in Riverside. Having received information from a body shop that they had the damaged vehicle on their premises for several months, an investigator turned to the Internet and discovered evidence the California Insurance Commission calls "key to building the case" against the Chens. Both have been booked on charges of felony insurance fraud.

More @ San Gabrel Valley Tribune (http://www.sgvtribune.com/news/ci_14666391) & California Department of Insurance (http://www.insurance.ca.gov/0400-news/0100-press-releases/2010/release040-10.cfm)

How Google might know what you did last summer -- even if you forgot.

Google Latitude is a service that allows users to see and share their location on a Google map live and in real-time. The service runs on most smart-phones, regardless of service provider, including Apple's iPhone, Windows Mobile, the Palm Pre, and, of course, Google's Android. Latitude relies on a combination of GPS, cellular tower triangulation, and wi-fi triangulation. Having brushed-up on the service for a recent National Public Radio (NPR) Interview, I have since considered Latitude one-part creepy, and two-parts cool. However, the creepy / cool ratio may be shifting.

This week Google introduced a new and improved Google Latitude -- with enhanced features like "Location History".  With Location History Latitude users can go back in time retrace their footsteps, and even see where they stayed-put, and for how long. Kind of cool...yet, very creepy. But practical?

Imagine, for example, you're the owner of a Palm Pre on Sprint's 3G Now Network , having trouble remembering where your were when you told your spouse you were somewhere else? Now, there's a map for that!

But wait -- there's more! How about "Location Alerts"? Certainly, a application that would alert you when a particular individual, say a family member, has left work or school, would be very practical. After a while of being alerted every time someone is, or has arrived, exactly where you would expect them to be, however, could get old. So, Google's geniuses stepped it up a notch. According to Google, Latitude will learn user's patterns and behavior so that alerts can be issued when a person has strayed from their routine -- left at a different time, or arrived at a different place.

For example, if you decide to  staycation with your mistress, you can receive a handy alert when your spouse leaves the office earlier than usual. Or, if traffic is particularly light, Latitude will let you know when it's time for a quick window-exit.

Best of all, when the jig is up, no one has to know, because -- for now -- Google is making all these free services available to you, and no one else... at least, without subpoena powers.

This is deception... on the Now Network.

Recently, I had a wonderful opportunity to play a game of hi-tech "phone tag" on the streets of San Francisco with Reporter Martin Kaste from NPR's "All Things Considered". Late last Summer I was  asked if I would be willing to sit down for an interview for a story he was researching about location privacy. But, instead of agreeing to meet Kaste, I told him he had to find me.

With the aid of his GPS-equipped smart-phone, some software, a little patience, and a good pair of walking shoes, he was able to "tag" me sipping a latte outside a coffee shop on Market St. Of course, with my own GPS, and software-equipped smart-phone, I was able to see him coming. What follows are the fruits of that encounter:

Digital Bread Crumbs: Following Your Cell Phone Trail

Jeff Fischbach is a little bit like those guys in The Matrix — when he puts on his shades and looks at the world, he sees data.

Walking down the street in San Francisco, he points out all the devices that record people's comings and goings: digital parking meters, apartment intercom systems, digital security cameras...

Audio and transcript: http://www.npr.org/templates/story/story.php?storyId=114241860&ft=1&f=1019

How Twitter says they'll hide your location from twits with subpoenas.

Recently, Twitter announced that they would be adding geolocation features to their service, allowing users to embed their physical location in their Twitter feed. As not to alarm: Twitter has always maintained that this would be an opt-in feature. But, frankly, any web site you visit is privy to some information about your physical location by virtue of the IP address assigned to your computer by your Internet Service Provider (ISP) from a group of IP addresses reserved for your neighborhood. The logs kept by a web server, combined with a subpoena to the appropriate ISP, usually yield a street address for the subscriber assigned that IP address.

SmarterWare's Gina Trapani (formerly of Lifehacker.com) is attending the Twitter Conference in LA. She's posted updates explaining how Twitter plans to deploy this service and how they intend to protect its Twitter geolocation users from subpoenas. According to Gina, "Twitter will scrub geo-data stored in tweets more than 14 days old to avoid getting subpoena’d about a user’s location in the past. They will outright delete the location information from their database, not just anonymize."

She also reports that while,

"Twitter usually encourages developers and applications to cache data, in the case of geo, they recommend dropping historical location data so that application developers don’t become a subpoena target, either. They also recommend 'fuzzing' location and time data, so that instead of knowing that Joe Smith was at 8th avenue and 15th street at 2:11PM Eastern time on March 7, 2008, you only show that Joe was in Brooklyn on that day. The geodata-scrubbing isn’t a permanent solution. They are looking into ways to store this data in a 'safe' (anonymized?) way in the future, so they won’t always scrub +14 day old data, just at first."

Purging data that isn't mission critical, but likely to be subpoenaed makes a lot of sense. After all, no one writes "Satisfy search warrants in a timely, efficient, and effective manner" into their corporate mission statement.

While I'm convinced that Twitter's motivation is for the sanctity of the corporation, rather than its user-base, it is a step in the right direction. In fact, the direction is so right that one has to wonder why all personally identifiable user data isn't "scrubbed" every 14 days from most online services. Of course, Twitter's raison d'être, is -- among other things -- to give it's user's messages some life and legacy. It's likely that most of those users would also like to take credit for their various flashes of 140 character brilliance.

Not so, however, every time an individual fires off an instant message (IM), or searches Google. Most instant messaging services, for instance, don't store messages after they are sent, but they do store the sender and recipient's IP addresses, with their account information, and the time they logged in. While Google relies on demographic data, such as geography, income, and search interests, in order to sell ads, it doesn't need to be personally attributable to me. Companies like Google, Yahoo!, Facebook, MySpace and AOL are not in the subpoena response business. But, all of these companies employ subpoena compliance personnel, who add to the cost of doing business, but contribute nothing to the bottom-line. Worse yet, where nearly every individual in these companies, in some way, does something, either directly or indirectly, to add to the end-user experience, subpoena compliance often works in direct opposition to that objective.

As many companies learn when they're sued, subpoena compliance is often so expensive that it's cheaper to settle. A company can't be forced to produce what they don't have. And, with some significant exceptions, a company can't be forced to archive what they don't need.

By the way, I'm not just an end-user of all the services listed above, I'm also one of the twits writing the subpoenas.

You've been punked!!!

How German filmmakers hijacked part of California, stole its identity, and used it to scam an entire country.

I think I've finally figured out the origin of the expression, "If you believe that, I've got a bridge to sell you": Bluewater, California.

The "bridge" to which I refer crosses the Colorado River, and connects Bluewater, California with its sister-city, Bluewater, Arizona. According to the city's web site, downtown Bluewater offers a range of bars and restaurants where you can dine on seafood fished from local waters, get locally-grown produce from the Farmer's Market every Wednesday and Saturday, and enjoy summer poetry in the park.

Imagine the shock when KVPK7, Bluewater's own local news channel reported that the tiny city had become the target of an attempted suicide bombing by a German rap group known as “Berlin Boys”? Who on earth could conceive of such an event hitting a small town in America?  Only Hollywood. Or, in this case, a group promoting the German film, "Short Cut to Hollywood."

The group, according to Wired, set up fake web sites for the "city" (actually, an unincorporated, and largely uninhabited, part of San Bernardino County, CA), the news station, and even a Wikipedia page further authenticating the fictitious news station. They simulated news footage, and even posted local Skype phone numbers on the fictitious web sites. After receiving a tip, journalists in Germany found the fake city web site, and used the phone numbers listed to confirm the tip and interview city officials. Those numbers, of course, went right back to the pranksters in Germany. From there, the story spread through the German press.

The hoax might have lasted longer had news agencies, hungry for additional information, not called the superseding county, San Bernardino, for comment.

Think it couldn't happen here? Well, it practically did. If a handful of German artists who know how to write web pages can fool the entire German press, it certainly doesn't bode well for the common folk who rely on them. And, if part of  California can have its identity stolen, that doesn't bode well for the rest of us either. Just imagine what could have happened if the state still had its credit rating.

By the way, anyone know the German translation for "Punk'd"?

It looks like, for some, the stimulus package wasn't enough. In an ironic twist, the man often criticized for moving Trillions from the Federal Reserve Bank into the hands of failing corporations has had a far lesser sum removed from his personal bank account.

"Federal Reserve Chairman Ben Bernanke has been a victim of identity theft. His credit card company became suspicious when they noticed repeated purchases of large, failing American car companies."

- Conan O'Brien (Aired August 27, 2009)

Just days after President Obama announced Bernanke's renomination to the Federal Reserve, officials revealed that Fed Chairman Ben Bernanke was a victim of a wide-spread identity theft ring that used, "stolen personal identifying information, bank and bank record information, personal checks, and other access devices belonging to individual victims, to impersonate those victims at various bank branches throughout the country," according to the U.S. Attorney's Office.

"Identity theft is a serious crime that affects millions of Americans each year," Mr. Bernanke said through a Fed spokesman. "Our family was but one of 500 separate instances traced to one crime ring."

Though there's really nothing funny about identity theft, it just goes to prove that the problem is so pervasive that anyone can fall victim.

When searching a spreadsheet containing the drug test results of 104 professional baseball players federal prosecutors went too far, says the 9th U.S. Circuit Court of Appeals.

After lawfully executing a warrant on a Long Beach, CA drug testing lab for the test results of 10 players, agents uncovered a Microsoft Excel spreadsheet with results of every player that was tested in the program. The government argued that 94 of those results were in "plain sight".

In a 9-2 decision, the court ruled:

"The government should, in future warrant applications, forswear reliance on the plain view doctrine or any similar doctrine that would allow it to retain data to which it has gained access only because it was required to segregate seizable from non-seizable data. If the government doesn’t consent to such a waiver, the magistrate judge should order that the seizable and non-seizable data be separated by an independent third party under the supervision of the court, or deny the warrant altogether."

Citing US v. Hill, 322 F. Supp. 2d 1081 (C.D. Cal. 2004), Chief Judge Alex Kozinski, writing for the majority states the objective to,

"maintain the privacy of materials that are intermingled with seizable materials, and to avoid turning a limited search for particular information into a general search of office file systems and computer databases. If the government can’t be sure whether data may be concealed, compressed, erased or booby-trapped without carefully examining the contents of every file...then everything the government chooses to seize will, under this theory, automatically come into plain view. Since the government agents ultimately decide how much to actually take, this will create a powerful incentive for them to seize more rather than less: Why stop at the list of all baseball players when you can seize the entire Tracey Directory? Why just that directory and not the entire hard drive? Why just this computer and not the one in the next room and the next room after that? Can’t find the computer? Seize the Zip disks under the bed in the room where the computer once might have been."

Four players whose names also appeared in the seized spreadsheet were leaked to The New York Times. Alex Rodriguez, David Ortiz, Manny Ramirez and Sammie Sosa were not included in the search warrant, but Kozinski added, "those players suffered harm as a result of the government's seizure."

The decision crafts Miranda-style guidelines for prosecutors and judges to protect Fourth Amendment privacy rights while conducting computer searches.

I have participated in testimony to a similar effect, whereby courts have ruled that spouses cannot provide consent to search an entire hard drive when directories are clearly controlled by one individual. Likewise, I have been asked by the court, on many occasions to parse data applicable to a search warrant from a mountain of otherwise inadmissible data.

Although this decision only addresses computer hard drives, it clearly has long-reaching implications. After all, nearly every electronic device has become, or will become, computerized to some extent.

While the US government is considering its next move, I expect this may be a sign of things to come.

Israeli scientists are declaring war on DNA evidence. According to a paper published today in the journal, Forensic Science International: Genetics, scientists in Tel Aviv have have demonstrated that it is in fact possible to fabricate DNA evidence, opening up an entirely new avenue of reasonable doubt.

As quoted to the New York Times by lead author, Dr. Dan Frumkin, “You can just engineer a crime scene. Any biology undergraduate could perform this.”

Not surprisingly, Dr. Frumkin also claims to have developed a test to distinguish real DNA from manufactured evidence, which he hopes to sell to forensic labs.

If confirmed independently, this could spell the end to what has long been regarded as a flagship of forensic evidence--at least in prime time television--and usher in an age where DNA hacking becomes the newest form of identity theft.