From brian at thejohnsons.co.uk Tue Jun 7 10:00:04 2011 From: brian at thejohnsons.co.uk (Brian L Johnson) Date: Tue, 07 Jun 2011 10:00:04 +0100 Subject: RSA finally comes clean: SecurID is compromised Message-ID: It's been a bit quite around here, so... "RSA finally comes clean: SecurID is compromised" http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars Details of the original attack (rather than the consequences) at: "Attack on RSA used zero-day Flash exploit in Excel" http://news.cnet.com/8301-27080_3-20051071-245.html -- brianlj From mikie.simpson at gmail.com Wed Jun 15 10:49:15 2011 From: mikie.simpson at gmail.com (Michael Simpson) Date: Wed, 15 Jun 2011 10:49:15 +0100 Subject: impressive health dataloss Message-ID: http://www.theregister.co.uk/2011/06/15/eight_million_health_records/ Even in these post-sony days 8+million health records ("anonymised" but still containing age and postcode) going missing is quite staggering. Someone needs to tell DoH that simple putting a password on a laptop without whole disk encryption is not a barrier to using rainbow tables to ascertain said password yet it is still trooped out as the first line of the "it will be ok" statement from the guilty. mike From tugwilson at gmail.com Wed Jun 15 12:14:30 2011 From: tugwilson at gmail.com (John Wilson) Date: Wed, 15 Jun 2011 12:14:30 +0100 Subject: impressive health dataloss In-Reply-To: References: Message-ID: On 15 June 2011 10:49, Michael Simpson wrote: > http://www.theregister.co.uk/2011/06/15/eight_million_health_records/ > > ?Even in these post-sony days 8+million health records ("anonymised" > but still containing age and postcode) going missing is quite > staggering. > ?Someone needs to tell DoH that simple putting a password on a laptop > without whole disk encryption is not a barrier to using rainbow tables > to ascertain said password yet it is still trooped out as the first > line of the "it will be ok" statement from the guilty. Indeed, or just take the disk out of the laptop and read it on another machine. Many worrying aspects to this. They say they "manually delete" data after use I'll put money on that being a non secure delete process. They waited 3 weeks before notifying the police (that's really fishy especially as they say they have recovered some of the laptops, I wonder how?) It was in a store room which implies that it wasn't actually being used so why is there still data on it? Are they required to write to all those whose data they have lost? If so they'll be buying a hell of a lot of stamps. Anybody up for an FoI request for their data/computer security policy and procedures? John Wilson From amidgley at gmail.com Wed Jun 15 17:47:16 2011 From: amidgley at gmail.com (Adrian Midgley) Date: Wed, 15 Jun 2011 17:47:16 +0100 Subject: impressive health dataloss In-Reply-To: References: Message-ID: Putting that data on a laptop was a bad idea. Creating a collection of 8.6 million (people's?) health records was a bad idea whcih facilitated the operation of the other bad idea. As for deletion, many people think that unlinking files deletes data. In Unix-like computer ssytems the description as "unlinking" seems less likely to encourage sloppy thinking and error. Here's an example http://www.rdehospital.nhs.uk/docs/patients/services/dermatology/Photographic%20advice%20teledermatology.doc I did expeeriment, and then tell the photographer my results, but he is happy with it the way it is. -- Adrian Midgley?? http://www.defoam.net/ From roger at hayter.org Wed Jun 15 13:04:03 2011 From: roger at hayter.org (Roger Hayter) Date: Wed, 15 Jun 2011 13:04:03 +0100 Subject: impressive health dataloss In-Reply-To: References: Message-ID: In message , Michael Simpson writes >http://www.theregister.co.uk/2011/06/15/eight_million_health_records/ > > Even in these post-sony days 8+million health records ("anonymised" >but still containing age and postcode) going missing is quite >staggering. > Someone needs to tell DoH that simple putting a password on a laptop >without whole disk encryption is not a barrier to using rainbow tables >to ascertain said password yet it is still trooped out as the first >line of the "it will be ok" statement from the guilty. > >mike > > The sale of such "anonymised" databases to researchers (which might include multinational pharmaceutical companies) is, of course, one reason why some of us are not keen on the idea that the DoH should be able to use our health information for such purposes without individual consent. -- Roger Hayter From anish.mohammed at gmail.com Wed Jun 15 17:58:17 2011 From: anish.mohammed at gmail.com (Anish) Date: Wed, 15 Jun 2011 16:58:17 +0000 Subject: impressive health dataloss Message-ID: <1842919429-1308157100-cardhu_decombobulator_blackberry.rim.net-840045743-@b1.c2.bise7.blackberry> >The sale of such "anonymised" databases >to researchers (which might >include multinational pharmaceutical >companies) is, of course, one >reason why some of us are not keen on the >idea that the DoH should be >able to use our health information for such >purposes without individual >consent. Btw if u have ever been a researcher in privacy or anonymising protocols u might find "anonymous" health data interesting - to put it mildly Sent from my BlackBerry? wireless device From james2 at jfirth.net Fri Jun 17 11:08:01 2011 From: james2 at jfirth.net (James Firth) Date: Fri, 17 Jun 2011 11:08:01 +0100 Subject: O'Dwyer: US extradition attempt for UK-based copyright "offences" Message-ID: <000001cc2cd6$71233ce0$5369b6a0$@net> Not sure if people on the list have seen the case of Richard O'Dwyer that's been breaking this week. Facts have been slow to emerge, I've blogged it here: http://ejf.me/fS Essentially O'Dwyer ran a links website TV-Shack. Anyone who's been following the repeated attempts to make criminal charges under CDPA (or a related conspiracy to defraud in the case of R v Ellis) will understand there's been no jury conviction for offences that just include links. Incidentally; David Cook, who comments in today's Telegraph, wrote something about the persistence of the police and rights holders to make criminal charges stick on Orgzine last month: http://zine.openrightsgroup.org/comment/2011/criminal-prosecutions-file-shar ing James Firth CEO, Open Digital Policy Organisation Ltd