When referring to the case, an eBay spokesperson stated the obvious

“What the case highlights is the importance that people need to place in choosing a sensible password,”

What exactly makes for a good password? I read an article once (can’t remember where) that said to do the following:

1. Think of your favorite phrase, quote, or song lyric that’s at least 8 words long.
2. Take the first letter of each word.
3. Substitute numbers for letters.

The example I remember was a Dr. Seuss quote, so I’ll use an Animaniacs spin-off of Green Eggs and Ham:

1. Phrase: “I does not like gold eggs and meat.”
2. Take the first letters of the phrase: idnlgeam
3. Now, substitute some numbers for letters.”i” and “l” kind of look like “1″ and “e” looks like a backwards “3″ so “1dn1g3am”.

The system has been working for me - and since I create my password from scratch with a meaning behind it, I have a greater tendency to remember it.

Is there another solution? I read a few months back that eBay (or, at least, Paypal) was looking into implementig security keys.GearFuse.com posted a picture of these security devices, which generate unique keys every 30 seconds. Users must type in that unique key along with their username and password.

It sounds like a pain to use, but perhaps something like that would reduce the number of phishing scams. If scammers need your randomly generated security key along with your username and password, that may make the stolen data more difficult to use.

Do you still have the right to name the doctors on the site?

That was a case heard by the Philadelphia appeals court last week against Pennsylvania resident, Dominic Morgan. Morgan had kept the names of the doctors off his website until his medical malpractice case ended. Since he didn’t sign a non-disclosure agreement, he then added the names of the doctors to his website, http://www.lasiksucks4u.com.

Not long after, he got a nastygram claiming he was libeling the doctors.

The case went to the Court of Common Pleas in Philadelphia, where a judge ruled that he did, in fact, waive his right to further criticize the doctors by taking down the site. That’s when Public Citizen stepped in to help.

In June 2006, they filed an appeal in the Pennsylvania Superior Court in Philadelphia to reverse the decision, and last week, the judge overturned the lower court’s decision.

Note - this case isn’t about whether or not he libeled his doctors. It’s about whether he waived his rights to criticize the doctors when he took the content down.

If the lower court decision would have stood, it would have a chilling effect on freedom of speech. Large companies often bully the small guys by shooting off nastygrams demanding they take down their content. Initially, many of the little guys do. The question here was - does doing so mean they agree not to discuss the matter in the future? Thankfully, the legal answer is now “no”.

Source: Dave Farber’s Mailing List via TechDirt

Not surprisingly, there are a lot of “opportunists” out there who give up their info in exchange for this possibility of wealth. These gullible saps soon become the victims of identity theft.

So, how does it work?

Police have just arrested two guys in Florida who allegedly run one of these identity theft scams. They’ve been trolling neighborhoods looking for vacant homes where they can send credit cards, bills and other mail without the home owner’s knowledge. Then, they apply for all sorts of credit cards, have them sent to these homes, and collect the mail.

The scary thing is that it sounds like police caught these two guys by accident. A patrol car just happened to be cruising the neighborhood and see a Pontiac drive up to a mailbox and grab the mail. They pulled the guys over, questioned them, and then searched their car - where they found all sorts of information in the names of other people.

Even more scary, one of the guys - Adentuji Idowu - has been investigated by the Secret Service since 1992 and has been arrested twice for committed identity fraud.

The moral? If an opportunity sounds “too good to be true”, it likely is. Save yourself a lot of time and hassle by not providing your personal information to anyone that offers you several million dollars. Learn how to protect yourself from identity theft.

In vishing schemes, scammers call up random numbers, provide a fake 1-800 number, and ask you to call to confirm your credit card information and other account details. They set up these numbers through Skype, Vonage, and other VoIP providers. They can even spoof the caller id to make it look like they’re really from the institution they report to be from.

The CIO Blog warns

customers should be highly suspicious of any phone or e-mail contact that does not use their first and surnames, and should never dial a call-return number or reply to an e-mail regarding any financial matter.

I’ve always been cautious to give out my credit card number over the phone. These latest reports of “vishing” are just scary. It seems there’s nothing you can do to protect yourself other than be extremely cautious. At least with the internet, you can run a whois search on sites that seem sketchy. With the phone, how can you double check?

For those of you who don’t want to download the info, there’s a number of web interfaces up at AOLSearchDatabase.com, AOLSearchLogs.com, and AOLStalker.com to allow anyone to search the database - or you can get some of the highlights from CNN.com.

The gist is that AOL released 20 million records of real queries to their database, which happens to be powered by Google. AOL usernames were replaced with a unique number, but that number was associated with every search they did - including people, social security numbers, and addresses. As you might imagine, this caused lots of concern over privacy of data and what should and should not be allowed. Weblogs, Inc CEO turned AOL employee, Jason Calacanis even called for search engines to not keep search logs. Google apparently was not swayed to stop keeping logs, though they assure us their employees won’t release the data.

And by Wednesday, the first searcher was identified by the NY Times.

Ms. Arnold, who agreed to discuss her searches with a reporter, said she was shocked to hear that AOL had saved and published three months’ worth of them. “My goodness, it’s my whole personal life,” she said. “I had no idea somebody was looking over my shoulder.”

Looking through the data released, it’s not difficult to see why the government wants this information. Earlier this year, Google was the only search engine to refuse to hand over search logs to the Department of Justice. AOL, MSN, and Yahoo all handed over their logs when asked.

The interesting thing is that this incident may spark new legislation from Congress. Representative Edward Markey (D-Mass.) proposed a privacy bill back in Feb 2006 and is now encouraging his colleagues to take action

Markey’s bill is H.R. 4731, the Eliminate Warehousing of Consumer Internet Data Act (EWOCID). The bill would require Internet companies to destroy obsolete electronic data, and particularly data that could be used to individually identify consumers. The bill would also instruct the Federal Trade Commission to set up standards for the maintenance and destruction of data, and enforce the provisions of the law.

There are two types of threats that can be considered spyware:

1. Trojan viruses and “keyloggers” - these malicious programs install themselves on your computer, track your internet activities, and send your personal information back to hackers.
2. Adware - these are programs that spy on your internet activity for the purpose of showing you more relevant advertisements or to redirect you to other websites.

The first type is illegal. The second isn’t but can be annoying and slow your computer to a crawl or prompt pop up ads whenever you’re online.

How To Stop It
According to the Pew report, 91% of internet users say they’ve altered their internet behavior to avoid spyware. According to the numbers

• 81% have stopped opening email attachments unless they are sure they are safe (9% say they never did)
• 54% have started reading user agreements more carefully before they download software
• 48% have stopped visiting certain websites
• 34% have stopped downloading software programs from the internet (while 33% say they never did)
• 25% have stopped downloading music or videos from peer-to-peer networks (48% more say hey never did)
• 18% switched to a different browser

How To Remove It
There are a number of programs out there that will scan your computer for installed spyware and adware and remove it. I highly recommend:

Spybot
LavaSoft’s Ad Aware
Spy Sweeper

I find that it’s generally best to install at least two of them, as one will inevitably miss some stuff that the other will pick up.

In the first case, Charles White and Allen Smith allegedly headed up a 10 person group who defrauded banks to the tune of at least $1 million. By using the names, social security numbers, addresses, and dates of birth of potentially hundreds of customers of Commerce Bank, Wachovia Bank, PNC Bank, and M&T Bank, they were able to cash foreign and counterfeit checks as well as withdraw funds from current customers’ accounts.

In an unrelated scheme, 10 more individuals were charged with mortgage and identify fraud that involved 180 properties, most in South and Southwest Philadelphia, that could cost the government and private lenders more than $11 million.

Mahn Huu Doan was charged with submitting bogus bank records, W-2 forms and pay stubs to get government backed loans. He was going to resell the homes for profit, but when they didn’t sell, Doan couldn’t pay back the loans. The properties will go into foreclosure.

“Foreclosures affect everyone in Philadelphia,” U.S. Attorney Meehan said, citing a recent study by the Reinvestment Fund. “For every foreclosure within a block of your house and within a year, your house will lose 1 percent of its value. You can therefore imagine the impact that 180 foreclosures will have on our neighborhoods.”

In a third case, Kasimu Clark allegedly recruited bank employees to provide personal information about customers. He then distributed phony IDs to his crew of 8 or so (only Clark has been charged so far), and the group proceeded to cash checks and withdraw some $1.2 million.

Source: U.S. Attorney Announces Multiple Identity Theft and Mortgage Fraud Indictments24 are charged in 6 ID-theft rings
ID-fraud indictment names 24

The lawsuit, filed last Monday in the District Court of Travis County, Texas, were aware that sexual predators troll MySpace looking for children. The suit seeks damages of no less than $30 million for fraud and negligence in misrepresenting their security measures to protect children and teens. The suit also charges 19-year-old Texas resident Pete Solis with sexual assault and emotional distress.

According to the lawsuit, on April 6, Solis contacted the girl via MySpace and reportedly lied about his background - that he was a high school senior. She provided her cell phone number and 6 days later, the two met and he allegedly sexually assaulted her.

MySpace has responded by restricting adult access to information teens provide about themselves. Starting next week, anyone over the age of 18 can’t request to be on a 14 or 15 year old’s friends’ list unless they already know the youth’s email address or full name.

Of course, it’s not that difficult to lie about your age on MySpace. What’s preventing adults from claiming to be teens? There’s no way MySpace can put any type of age verification into place without serious privacy concerns. I mean, it’s not like they’ll be able require social security numbers which are then checked against government data.

Personally, I don’t really see how MySpace is liable for this. It would be next to impossible for them to moderate every piece of information that people post to their site.

I also don’t see how legislation in the House of Reps right now - the Deleting Online Predators Act, which will supposedly block access to online social networks at schools - will help.

I think a better solution is for parents and schools to educate teens about what information is appropriate to divulge online. But even that requires parents to be aware of this relatively new social media phenomenon and take measures to interact and be a part of their children’s lives…

Larry Dignan of eWeek thinks that it’s time corporations are fined for losing data. This year alone, we’ve heard of the 26.5 million veterans info that was stolen from an employee’s house, the YMCA lost a laptop containing personal info of 65,000 people in May, Hotels.com may have exposed data for 243,000 individuals, and just last week a laptop containing personal information of 13,000 District of Columbia employees and retirees was stolen out of the home of an employee of ING U.S. Financial Services.

You’d think companies would keep that kind of sensitive info secured in a database on their servers rather than unsecured with no password or encryption on a laptop. Why do these employees need to carry that kind of info outside the office? And even if they did need to access some of the data, there are ways that companies can allow employees to access their servers securely.

The Department of Veterans Affairs is facing two class action suits for their loss of data. Plaintiffs are seeking $1000 for each person listed in the database - that’s $26.5 billion.

The suits were filed under the US Privacy Act, which only applies to government data breaches but perhaps it’s time to offer stiff penalties about those in the corporate world as well.

Information Week now has an article on data grabbing. Did you know that the FBI sends 30,000 national security letters - special subpoenas that don’t require a judge’s signature that allow the FBI to request bank, insurance, phone, ISP and credit report records (thankfully, medical records are not included) - each year? And unlike subpoenas, companies who receive a national security letter can’t disclose that they’ve received one?

Subpoenas can at least be fought in court, as Google did, but now the Justice Department is asking Google, AOL, Verizon and other internet bigwigs to keep their subscriber information and customer data for at least two years - you know, in case the government needs it for a criminal investigation.

What might government agencies do with all the business and Internet data they’re collecting? Some skeptics worry about a single massive database where all kinds of information gets crunched together, providing a complete picture of Joe Citizen. That seems a remote possibility, though researchers at the Defense Advanced Research Projects Agency did work on a system several years ago that would have mined data in that way to identify terrorists. That program, dubbed Total Information Awareness, was scrapped more than two years ago under public pressure.

A different but related concern is that data collected for one purpose could get used for another. USA Today last week reported that the FBI plans to use its database of DNA evidence, collected from convicted criminals and some others upon arrest, to help identify thousands of dead people whose identities aren’t known.

There’s also the concern that once the feds gets their hands on data, they can’t be trusted to secure it. Look no further than last month’s news of a stolen laptop and external hard drive containing data on 26.5 million military veterans and family members. The Veterans Affairs Department has been fingered for its lack of security before, but it’s not the only agency with low marks. Security becomes even more of an issue as more data accumulates and gets retained longer.

Encryption is one solution, but encrypted data can’t be searched easily and is thus less useful to the government. Nothing, it seems, about data sharing between businesses and government is destined to be easy.