TJX, the company that is known for having the largest data breach in history (so far), has not implemented better security and might have gotten worse. The employee that blew the whistle on them has been caught and fired for it.

TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords.

Hey! That probably means they'll find THIS page. Sweet.

If that's the case, then here's my message to them: Stop storing all that personal data about us against our will and you won't have to pay for more security. You can't lose what you don't have, duh!

Tags: Careful What You Post, Data Abuse, Kill the Messenger, TJX, Wireless Security

TJX, the company that is known for having the largest data breach in history (so far), has not implemented better security and might have gotten worse. The employee that blew the whistle on them has been caught and fired for it.

TJX now has a firm that scours the internet to find bad things posted about them, which is how they found the message and fired him for it. Too bad they don't appear to have hired anyone to beef up operational security or to convince people to use strong passwords.

Hey! That probably means they'll find THIS page. Sweet. If that's the case, then here's my message to them: Stop storing all that personal data about us against our will and you won't have to pay for more security. You can't lose what you don't have, duh! Tags: TJX

This should be interesting. If China didn't take some serious precautions when implementing RFID for their tickets, we should be hearing any day now about people who remotely cloned someone else's ticket and got into the game denying access to the others. Or, since passport information is stored on the ticket as well, someone with a scanner can find anyone from a given country should they wish to target someone based on their nationality. Let's see what happens. (H/T to slashdot for the link) Tags: RFID

It's amazing and I promise it's no joke, but both congress AND Bush did something right by drafting, passing, and then signing into law the Genetic Information Nondiscrimination Act. Some provisions of the law include:

- Prohibiting group health insurance plans and issuers offering coverage on the group or individual market from basing eligibility determinations or adjusting premiums or contributions on the basis of an individual's genetic information. Insurance companies cannot request, require or purchase the results of genetic tests, and they are prohibited from disclosing personal genetic information. - Prohibiting issuers of Medigap policies from adjusting pricing or conditioning eligibility on the basis of genetic information. They cannot request, require or purchase the results of genetic tests, or disclose genetic information. - Prohibiting employers from firing, refusing to hire, or otherwise discriminating with respect to compensation, terms, conditions or privileges of employment. Employers may not request, require or purchase genetic information, and they are also prohibited from disclosing personal genetic information. Similar provisions apply to employment agencies and labor organizations.

So much for the future shown by the movie Gattica. Note that McCain would have probably vetoed it based on what I heard about him the other day. (H/T to slashdot for the link) Tags: Bushiness, Gattica

Today there was a talk about Cyberbullying that revealed some really fascinating information. Elizabeth Englander from MARC (the Massachusetts Aggression Reduction Center) game a very spirited talk with some good statistics from her group’s studies.

• Grappling is the name for either staging a fight or ambushing someone and recording it to upload to Youtube later. There has been at least one suicide as a result of these attacks where a girl was attacked, stripped, and violated with the entire episode uploaded to Youtube.
• When asked what the motivation was for being a cyberbully, kids (ranging from middleschool to college) listed mostly either “because it was fun” or “because I was angry”. The most interesting thing about this statistic is that it broke down almost perfectly along gender lines. Can you guess which is which? Boys did it for fun and girls because they were angry.
• There’s at least one school district where the teachers have threatened to strike unless they are allowed to collect cellphones at the door. This comes out of situations like the one where the students provoked their teacher on purpose and recorded his angy reaction for upload to Youtube.

Another very interesting thing that Elizabeth said due to a question about the effectiveness of Public Service Announcements about cyberbullying was that, in her state at least, they held a contest for teens to create public service announcements that would get the message out to people of their own age. That’s brilliant! As the commenter in the audience said, the “This is your brain on drugs” and “I learned it by watching you” PSAs from our youth were really more of a joke than anything. Teens are probably best equipped to create something that their peers will pay attention to. You can find out more about MARC at their website. Tags: CFP, Kids

Today before the first panel at the conference, I heard a presenter who had to be in his 70′s or close to it say, “I feel so naked without my laptop”. And that has been today’s CFP conference highlight Tags: CFP

I was given the opportunity to give a five minute talk on any topic of my choice relating to computers, freedom, or privacy preceding the conference dinner on Wednesday. Narrowing down all the things I would want to say was difficult at first, but of course had to be nothing other than credit freezes. It drives me nuts that there's still so few people that know about this very important tool and I made sure that at least my fellow computer, freedom, and privacy advocates and peers would know. It turns out that there were many who hadn't heard of it before. After my talk, I had many people come to ask me about more details or to tell me that they spread the word to their friends and family. One even invited me to come speak at his church at a large event he's hosting in the fall! It's a good start. Tags: CFP, Credit Freeze

I have been challenging the value of Lifelock for a while based on the fact that they claim to prevent ID theft, but can't. It looks like several other people have come to that conclusion and are busy suing him for as much of his millions that they can get. The problem is that even with CNN, Wired, and Yahoo finally getting around to spreading the word, Lifelock is still going very strong. Even though I've been chasing lifelock postings around on the net and posting comments letting people know the truth, I don't think my efforts are going to amount to much in the long-run. That's why I've decided to challenge Todd Davis directly. He's obviously a showy type that feels comfortable challenging others so now it's time to turn the tables. I've looked into Lifelock's features and found them useful, but far from worth the money spent. But with only one feature addition, that could all change. So let's get to it: So there you have it. What are the odds that he'll actually respond? We shall see… Tags: Identity Theft, Lifelock, Todd Davis

I ended up sitting next to Peter Pietra, the head of the privacy department at the TSA. This gave me an interesting opportunity to talk about issues of privacy when dealing with their agency and the first thing I asked was about the pornographic backscatter x-ray devices. He was clearly frustrated (and I don't blame him) as I'm sure this is a topic that assaults him regularly. The issue is that backscatter CAN see through your clothes, but the TSA orders the devices preconfigured at a level that prevents them from seeing pictures such as these one on the Internet. They are also unable to modify the configuration. In fact what they actually see, as shown on their site, is smeared blob that highlights objects, but not skin. The issue that I have here is that if the TSA's claims of how they use the technology are true, then what the hell was all the hype about?

Images will be deleted immediately once viewed and will never be stored, transmitted or printed (the passenger imaging units have zero storage capability) Metallic and non-metallic objects are displayed, including all items that a passenger may be carrying on his/her person

Also, according to the website, you can always choose to have a pat-down instead. I asked Peter about this because it seems to me most people aren't going to know to go to the website and read about Backscatter before being faced with it at an airport, but he said that the sample picture on the web is printed right on the machine and people are supposed to be shown the picture and told of the option for pat down prior to being scanned.

Final Thoughts

I notice that the picture on the TSA site is from behind so probably doesn't fairly show how much frontal detail they would see so for full disclosure, they should show a frontal picture. However, I can understand why someone wouldn't want to show what amounts to nudity on these machines for propriety reasons and don't necessarily consider that evasive. What more can you ask for than clear disclosure and a reasonable choice? Granted the technology can be used for worse things, but the devices is about as small and conspicuous as a casket so you'll never be scanned without your knowledge. If they are configured correctly, store nothing, and you can opt for a pat down, then perhaps some have been too harsh on both the technology and the agency. Speaking of, EPIC's article that led me to write about backscatter in the first place unfairly show the capabilities of backscatter ignoring the actual use of the technology by the TSA. I'm sure there's someone from EPIC around the conference somewhere and I'll be sure to ask them about it.

What TSA Sees

What EPIC Shows

Tags: Backscatter, TSA

Last year, credit reporting companies “voluntarily” implemented credit freezes in all states in a desperate attempt to prevent more states from passing laws with worse terms than they wanted (that’s my theory anyway). Now Georgia has passed just such a law. Starting August 1st, people will be able to freeze their credit for only $3, a full $7 less than the $10 the credit reporting companies allowed in their “voluntary” plan. Even better:

The new law also eliminates a major objection of retailers and other grantors of instant credit: that freezing a file was too much of a hassle for someone applying for an in-store credit card or car loan on the spot. Under the law, consumers will be able to “thaw” their files temporarily, and credit bureaus are required to comply within 15 minutes of the request — a first in the country.

Good. Now they have no excuse for making the thawing process more difficult for any other state. Tags: Identity Theft