What Does Rumsfeld Need to Do To Be Fired?

fire-rumsfeld.jpgLaw prof. Marty Lederman explains (in great detail) that “Army Confirms: Rumsfeld Authorized Criminal Conduct:”

On November 27, 2002, Pentagon General Counsel William Haynes, following discussions with Deputy Secretary Wolfowitz, General Myers, and Doug Feith, informed the Secretary of Defense that forced nudity and the use of the fear of dogs to induce stress were lawful techniques, and he recommended that they be approved for use at Guantanamo. (The lists of techniques to which Haynes was referring can be found in this memorandum.) On December 2, 2002, Secretary Rumsfeld approved those techniques for use at Guantanamo — and subsequently those techniques were used on detainee Mohammed al-Qahtani.

In other words, the Secretary of Defense authorized criminal conduct.

Loyalty to your subordinates should stop when they break the law. Its time for Rumsfeld to face charges for his actions.

(Image from SocialNetve.org.)

Security Breach Roundup

  • State of Ohio, 7.7 million registered voter SSNs, dismal process. From “Ohio Recalls Voter Registration CDs” via Dataloss.
  • Fifth Third Bank employee Marco Antonio Munoz, 74 pages of names of victims, dismal dependance on process, from “Internal theft of personal bank data rare,” in the Cadilac News. Someone’s PR department deserves a bonus for that headline. Via Canadian Privacy Law Blog.
  • University of Alaska Fairbanks, 38,941 SSNs, Hacker. From “Officials urge people to be on alert for fraud,” Fairbanks Daily News-Miner.
  • Hong Kong Police, 20,000 complainants, “private company.” From “Hong Kong: Former police complainants exposed on the Internet” (RISKS Digest summary of a Radio Australia story.)
  • Iron Mountain (again), 17,000 Long Island Railroad Employee SSNs, lost records. From “Personal Data of NY Transit Employees Lost,” via Dataloss. Interesting view into what happens when companies are given the choice of interpretation:

    [NY Police spokeswoman] Farello said the driver contacted authorities after noticing outside the Bronx VA hospital that the containers were missing.

    The company is treating that as “we misplaced them” rather than as theft. The New York Police are unspun, and are treating it as theft. Its good that the law doesn’t give the company discretion to be gullible on your behalf.

  • Lastly, not quite a breach, but apparently soccer fans are complaining (with good reason) about the amount of data being gathered on them by the Germans. Here I thought the Germans had good data protection laws. Maybe someone will investigate why all this data was collected? See “FIFA Criticizes Data Gathering At World Cup” at CSOOnline.

DoD Tricare Management Activity system, SSNs, credit card numbers, health info, 14K people

Via Army Times:

The Pentagon said routine monitoring of the Tricare Management Activity’s public servers on April 5 resulted in the discovery of an intrusion and that the personal records had been compromised, leaving open the possibility of identity theft among the members affected. The information contained in the files varied and investigators do not know what, if any, criminal intent the perpetrators had, or if the information would be misused.
Affected members were notified by mail earlier this month and the Defense Criminal Investigative Service has begun an investigation, defense officials said.

Tricare is the U.S. military health system. If you visit their web site, you find this:

If you received a notification letter regarding a potential compromise of your personal information and you have questions, please call 1-800 600-9332. Please do not call the Defense Criminal Investigative Service number referenced in the letter. We regret the inconvenience.

I believe the relevant acronym is SNAFU.

Big Brother Has Your Best Interests At Heart

So pay no attention to the thoughtcriminals who are not bored, and their ridiculous propaganda documenting “Abuses of surveillance cameras.” We all know that cameras never lie, film can’t be edited or mis-interpreted, the police would never use cameras to look in your bedroom window, and that the videos taken will be strictly controlled. Those who try to convince you that the camera adds ten pounds are also those who think that there are abuses of surveillance cameras. Really, though, what is meant by abuse? It is the wrongful use of something. As we all know, the President has inherent Constitutional authority as Commander-in-Chief to take those actions he deems needed to protect all Americans and the freedoms we enjoy. As President he has inherent authority to watch your every move, and we are all thankful that he chooses to exercise these rights. Further, by creating the best-documented generation in history, he is providing countless current and future historians with an unparalleled look into how each of us goes about our day, keeping American Values in our hearts at all times.

Why anyone would think it an abuse of surveillance cameras to capture evidence of so-called “peaceful protesters” taking to the streets and supporting terrorists? Even if some of the evidence isn’t provided to defense counsel, the President deserves credit for allowing defense counsel at trials. Claims that these “edited” videos don’t present a “full picture” are clearly wrong. Each and every frame of a video is a full picture. Those full pictures, each and every one of them, is far more evidence than before Big Brother deployed cameras like this.

Won’t someone think of the children? Dedicated government employees like Brian J. Doyle spent hours reviewing videotape of children. In the future, cameras will prevent traitors like Doyle from approaching children, because they will fear the cameras. Of course, people like Doyle will know where the public cameras are, so there will be a second, secret set of cameras, so as to protect the children from abuse of surveillance cameras.

All this because Big Brother wants to spend your money to keep you safe. Don’t you feel safer already?

Live Free or Die: New Hampshire Rejects National ID

Be it Enacted by the Senate and House of Representatives in General Court convened:

Prohibition Against Participation in National Identification System. The general court finds that the public policy established by Congress in the Real ID Act of 2005, Public Law 109-13, is contrary and repugnant to Articles 1 through 10 of the New Hampshire constitution as well as Amendments 4 though 10 of the Constitution for the United States of America. Therefore, the state of New Hampshire shall not participate in a national identification card system; nor shall the department of safety amend the procedures for applying for a driver’s license under RSA 263 or an identification card under RSA 260:21

From Devvy Kidd, who has some good commentary, and also Privacy Law.

aetna insurance,38K customers, names+SSNs, health info, stolen laptop

Report via Reuters.
Aetna declined to to say where this occurred or which law-enforcement agency they are working with, but it looks like the employer whose folks just got their PII exposed was the US Department of Defense.
Stars and Stripes has the scuttlebutt from HQ:

The laptop was stolen from an employee’s personal car in a public parking lot. While Aetna has strict safeguards on such matters, “the employee did not follow all company policies in this instance,” Michener said. Michener refused to say whether any disciplinary action would be taken, saying it was a “personnel matter.”
A few thousand other Aetna customers also lost data, but they do not fall under DOD, Michener said.
The company is sending three letters: one for those whose information included their social security number, one for those whose information included health information, and one for those whose information contained both.

Purdue University, 1351 applicants+students, SSNs, “unauthorized electronic access”

“Unauthorized electronic access”. Not sure if that’s a poorly configured web server, or what.
Press release today.
Happened in February.
Notices sent at some unspecified time.
Indiana only requires state agencies to disclose breaches, the law isn’t in effect yet, and the legislative and judicial departments aren’t considered state agencies.
Quoth “Mark Smith, head and professor of the School of Electrical and Computer Engineering” [wording from Purdue’s own press release]:

Removing Social Security numbers from all of the university’s business practices is an enormous and expensive process, but the university has mandated that every possible step be taken to solve this problem by the end of this calendar year.

Better late than never. Cue up the usual lecture about externalities.

Tony Chor on Presenting at MIX

Tony Chor has a good post on “Backstage at MIX06.” The effort that goes into a good presentation, including the practice, the extra machines, the people to keep them in sync, etc, is really impressive:

Normally, when I do a presentation and demo, both the demos and the presentation are on the same machine. I advance the slides and do the demo myself. Sometimes, for a big talk like my keynote at Hack-in-the-Box, we separate out the slides and demo onto separate machines (especially when the demos have pre-release bits like Windows Vista or IE7) and maybe I’ll have someone help me with the demos/slides to keep things running more smoothly.

Well, MIX took that to a whole new level. First, the demo machine was backstage, connected to a monitor, keyboard, and mouse via a switch. We also had a backup demo machine hooked up.



I’m in Montreal at SIGCHI. (Pronounced “Kai.” Who knew?) I realize haven’t gotten in touch with a slew of people I’d like to see. If you’re one of them, or think you’re one of them, or would like to be one of them, let me know!

Slippery Slope, Gaping Chasm and Torture

In February of last year, I told you about Lester Eugene Siler, a Tennessee man who was literally tortured by five sheriff’s deputies in Campbell County, Tennessee who suspected him of selling drugs. The only reason we know Siler was tortured is because his wife had the good sense to start a recording device about halfway through the ordeal.

The audio is now available online (read the transcript here). Drug war outrages lend themselves to overuse of superlatives. But I gotta say, this may be the most horrifying 40 minutes of audio I’ve ever heard.

So writes Radley Balko in “Torture and The Drug War.” I don’t know, but I suspect the very existence of a “debate” around torture civilizes this sort of repulsive behavior in a way we should not tolerate. I hope those responsible get the book thrown at them.

Sebastian Holsclaw has other comments at “Drug War Atrocity,” where I found the story.

Infocard: Have I Started a Trend?

infocard.jpgAfter I posted “Infocard, Demystified,” I’m finding a whole lot of articles about it. Mario posted links to “A First Look at InfoCard” and “Step-by-Step Guide to InfoCard” in MSDN magazine, which are useful, but longer descriptions.

In “What InfoCard Is and Isn’t,” Kim Cameron reprints an article from Computer Security Alert.

So now I feel compelled to learn something more about Infocard before shooting my mouth off again.

Bin Laden Tape

Walid Phares summarizes the new Bin Laden tape at “New Bin Laden Tape: Ten Main Points,” and analyzes it in “Bin Laden’s ‘State of the Jihad’ Speech:”

One more time Al Jazeera pomotes an Usama Bin Laden speech. After airing portions of the Bin Laden audiotape al Jazeera posted large fragments of the “speech” on its web site. This was the longest version possible we were able to have access to. After careful reading, my assessment of the “piece” got reinforced: This is not just another audiotape or videotape of a renegade in some cave. Regardless of who is the speaker and his whereabouts, the 30 minutes long read statement is a declaration, probably as important as the February 1998 declaration of war against America, the Crusaders and their allies.

Phares is an insightful analyst, and if he says this is as important as the 1998 declaration of war…well, read his “Bin Laden’s ‘State of the Jihad’ Speech.”

Man Charged For Notifying USC of Vulnerability

Federal prosecutors charged a San Diego-based computer expert on Thursday with breaching the security of a database server at the University of Southern California last June and accessing confidential student data.

A statement from the U.S. Attorney for the Central District of California names 25-year-old Eric McCarty as the person who contacted SecurityFocus last June with news of a flaw in the Web server and database system used to accept online applications from prospective students. SecurityFocus notified the University of Southern California of the vulnerability and worked with the university to close the flaw before publishing an article about the issue.

“It wasn’t that he could access the database and showed that it could be bypassed,” said Michael Zweiback, an assistant U.S. Attorney for the U.S. Department of Justice’s cybercrime and intellectual property crimes section. “He went beyond that and gained additional information regarding the personal records of the applicant. If you do that you are going to face, like he does, prosecution.”

The clear message: Next time, don’t tell.

[Update: The story quoted is Rob Lemos, “Man Charged With Accessing USC Student Data.”]

[2nd Update: Rob Lemos has a good three page story on this, “Breach case could curtail Web flaw finders.”]