Previous month:
October 2014
Next month:
December 2014

12 posts from November 2014

Verizon And Cox Media Disagree On Fees. Verizon FiOS Customers Lose Programming

Verizon FiOS and Cox Media Group have been uable to agree upon carriage fees, so Cox removed its programming on Thursday, Thanksgiving Day, from the Verizon FiOS television service. The Boston Globe reported that 400,000 homes in Massachusetts were affected. The change meant that Verizon FiOS customers were unable to watch Fox movies, N.F.L. football including the Thanksgiving day game between the Dallas Cowbys and Philadelphia Eagles, and programming by the local Fox affiliate in Boston.

Cox Media Group has revenues of about $1.7 billion. It ownes eight daily Newspapers, 16 non-daily Newspapers, 14 television stations, ten AM radio stations, and 47 FM radio stations. It operates 10 television markets reaching 30+ million viewer, and 11 radio markets reaching about 14 million listeners.

A Verizon FiOS customer shared the company's notice (click to view larger version):

Verizon FiOS notice about Fox 25 programming

Verizon Wireless customers can still watch N.F.L. programming using the service's mobile app (click to view larger image):

NFL programming available via Verizon Wireless mobile app

This was a "mugging" of consumers. Customers were understandably angry about the loss of programming, and some threatened to cancel (click to view larger image):

Tweets by customers about Verizon FiOS loss of programming

What are your opinions of this? Did you switch to the paid Verizon Wireless app, or cancel Verizon FiOS service?


Video: Squirrel Steals A Mobile Camera. Here's What You Don't Know

Maybe you've seen the video of a squirrel with a GoPro camera. Besides Youtube, several websites are showing it. If you haven't seen it, watch below (article continues below the video):

What You Don't Know

Accordingly to recently released government documents, the N.S.A. spent $3 million last year evaluating the use of squirrels as spies. The surveillance program was titled, "Nutty About Surveillance."

Not to be outdone, the F.B.I. started a similar, domestic-U.S. program as part of its wired forests initiative. The new program, "Countering Violent Animals," seeks to protect humans from violent, extremist animals. Reportedly, the F.B.I. is also installing GPS-enabled spy cameras on bears, raccoons, and groundhogs.


A Fight Brews After Retailers Demand From Congress Better, Stronger, And Consistent Data Breach Laws

The National Retail Federation and 43 other retail associations sent a letter dated November 6, 2014 to Congressional leaders in House and Senate demanding laws that promote stronger data security, eliminate exemptions to certain industries from data breach notification laws, and provide consistent data breach notification rules.

There are currently 47 different breach notification laws across the states. The makes for a complicated, patchwork of state laws that retailers must navigate when informing affected shoppers about data breaches. The laws vary in defining the data elements to be protected, data formats, the methods of notification, and when affected consumers must be notified by.

The retail associations' letter to Congress (Adobe PDF) stated:

"Organized groups of criminals, often based in Eastern Europe, have focused on U.S. businesses, including financial institutions, technology companies, manufacturing, retail, utilities and others. These criminals devote substantial resources and expertise to breaching data protection systems... Given the breadth of these invasions, if Americans are to be adequately protected and informed, any legislation to address these threats must cover all of the types of entities that handle sensitive personal information. Exemptions for particular industry sectors not only ignore the scope of the problem, but create risks criminals can exploit. Equally important, a single federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs."

The letter cited current banking practices:

"... the recently reported data breaches have taught us, it is that any security gaps left unaddressed will quickly be exploited by criminals. For example, the failure of the payment cards themselves to be secured by anything more sophisticated than an easily-forged signature makes the card numbers particularly attractive to criminals and the cards themselves vulnerable to fraudulent misuse. Better security at the source of the problem is needed. The protection of American’s sensitive financial information is not an issue on which sacrificing comprehensiveness makes any sense at all."

The letter described the threats retailers face data breaches at banks and payment processors:

"... some recent examples are instructive. This summer, it was reported that JPMorgan Chase had suffered a data security breach... affecting 83 million accounts that had been accessed online or through mobile devices. The criminals involved reportedly took over computers around the world... Given the sophistication of the attack, even months after initial disclosure, it is not clear whether the bank’s system is free of the hackers involved. It has also been reported that nine other banks suffered similar data breaches and there is evidence that there is a focused effort to breach financial institutions by these criminals... Despite all that reporters have uncovered to date, however, financial regulators have not required financial institutions to provide the same detailed notice to their customers as is required of other businesses under law... it was revealed in September that over 100 account subscribers to Apple’s widely-used iCloud service had suffered a series of targeted attacks that ultimately led to the unlawful acquisition of sensitive photographs stored on the iCloud servers. Merchants have also been attacked by criminals employing sophisticated and previously unseen tools to steal payment card numbers. Payment card data has been targeted by criminals in data breaches at every type of entity that handles such data – from financial institutions to retailers, card processors, and telecommunications providers."

The letter also cited a key industry study about where data breaches occurred:

"The Verizon Data Breach Investigations Report is the most comprehensive summary of these types of threats. The 2014 report (examining 2013 data) determined that there were 63,437 data security incidents reported by industry, educational institutions and governmental entities last year and that 1,367 of those had confirmed data losses. Of those, the financial industry suffered 34%, public institutions (including governmental entities) had 12.8%, the retail industry had 10.8%, and hotels and restaurants combined had 10%."

The Online Trust Alliance supports the retailer associations' letter with calls for better, stronger, consistent data breach laws. The American Bankers Association and several financial services groups responded with their own letter (Adobe PDF) to Congress dated November 12, 2014. The banking groups' letter said the retail associations' letter was:

"... inaccurate and misleading, and recommends solutions that leave consumers vulnerable to enhanced risk of data breaches... As evidenced by the massive breaches at Target, Home Depot, Michaels, Neiman Marcus, Jimmy Johns, Staples, Dairy Queen and others, retailers are being targeted by cyber criminals. While merchants and financial institutions are both the targets of these attacks, a key difference is that financial institutions have developed and maintain robust internal protections to combat criminal attacks and are required by Federal law and regulation to protect this information and notify consumers when a breach occurs that will put them at risk. In contrast, retailers are not covered by any Federal laws or regulations that require them to protect the data and notify consumers when it is breached."

Given the frequency and large size of data breaches, in my opinion, both groups have failed at adequately protecting consumers' sensitive personal and financial information. Neither is in a position to criticize the other.

The financial groups' letter cited "Strong Federal Oversight and Examination" and:

"Financial institutions on their own are aggressively implementing new systems and leading the development of new technologies like tokenization to combat the ever-changing criminal threat."

Banks may lead the way upon defending against external threats, but seem to have failed miserably against internal threats. Several examples illustrate my point. Banks have settled lawsuits about data breaches, settled lawsuits about residential mortgage back securities abuses, paid massive amounts ($128 billion and counting) in settlement payments and fines where terms are often kept secret and payments are tax deductible, and failed to solve their growing ethics problem where young bankers feel they must break the law to get ahead. Nobody forced banks to violate laws resulting in these lawsuits, settlements, and fines.

Rather than fight, both groups should stay focused on their shoppers and account holders: collaborate on better data security. Otherwise, they both look silly; like children at the dinner table arguing over who gets the last slice of chocolate cake.

View the full text of the retail associations' letter to Congress (Adobe PDF). Download the 2014 Verizon Dat Breach Investigations Report. Learn more about hacking attacks against Apple iCloud services.


Banks Pay Huge Fines, Again. This Time For Foreign Exchange Trading Abuses

J.P.Morgan logo There is an interesting article in the Washington Post titled, "You Should Never Underestimate How Far Bankers Will Go To Game The System." Several banks recently paid huge fines:

"This time, it's a $4.2 billion fine. That's how much UBS, HSBC, Citibank, JP Morgan Chase, Bank of America, and the Royal Bank of Scotland are collectively paying to U.S., U.K., and Swiss regulators for rigging the foreign-exchange, or FX, market."

Citibank logo How the banks rigged the trading exchange:

"Traders at supposedly competing firms worked together to rig the benchmark FX rates in their favor. They deliberately triggered clients' stop-loss orders—the price they'd automatically sell at to limit losses—to boost their own profits. Along with revealing what trades their customers were about to make, which would let them all make it first... the bankers set up [online] chatrooms charmingly named things like "the 3 musketeers" where they planned all this out..."

Bank of America logo Kudos to regulators for catching the banks doing illegal activity. Before, it was abuses with residential mortgage-backed securities. The banks have often apologized for the abuses, but those apologies (and fines) are a mild, first step. Consequences must be more extensive.

U.B.S. logo This latest set of fines highlight what is wrong with the banking sector. Basically, the wrongdoing will continue as long as the likelihood of getting caught is low, no bankers go to prison, and the profits from said activities exceed the fines paid:

"... it's important to remember that these penalties are just the price of doing business for big banks—and tax-deductible ones at that.  And that's why the better news is that the Justice Department is still looking into criminal charges against some of these traders. Far too often, as Matt Taibbi has argued, the Justice Department has all too happy to have banks cut them a fat check rather than—and at the expense of—pursuing criminal charges that are hard to prove and even harder to explain to a jury."

The trading abuses went on for years. The Guardian UK reported:

"Two UK and US regulators said they had found a “free for all culture” rife on trading floors which allowed the markets to be rigged for five years, from January 2008 to October 2013.... In the UK, UBS was handed the biggest fine, at £233m, followed by £225m for Citibank, JPMorgan at £222m, RBS at £217m, and £216m for HSBC. Barclays has yet to settle. In the US, the regulator fined Citibank and JP Morgan $310m each, $290m each for RBS and UBS, and $275m for HSBC."

Consumers: when fines are tax deductible, it's a huge gift to banks because you are paying for the wrongdoing and not the banks. If fines continue to be tax-deductible fines, enforcement agencies fail to put bankers in prison, and politicians support the status quo, then the time to gather your torches and pitchforks fast approaches.


FCC Decision About Net Neutrality Unlikely This Year

Federal communications Commission logo MediaPost reported:

"... it looks like the Federal Communications Commission will put off a decision on net neutrality until at least next year. The agency's tentative agenda for its Dec. 11 meeting, released this afternoon, doesn't include a vote on open Internet rules."

Reportedly, the reason for the postponement:

"... after President Barack Obama publicly urged the FCC to reclassify broadband as a utility service, Wheeler indicated the agency would need additional time to consider the legal questions posed by reclassifying broadband. “The more deeply we examined the issues around the various legal options, the more it has become plain that there is more work to do,” Wheeler said..."

The FCC could change its December 11 meeting agenda. If it doesn't, then the next time it could vote about net neutrality would be at its January 29, 2015 meeting.


Uber's "God View" Tool, Privacy And Alleged Tracking

Uber logo On Monday, BuzzFeed reported about possible ethics and privacy issues at Uber, the ride-sharing social service:

"A senior executive at Uber suggested that the company should consider hiring a team of opposition researchers to dig up dirt on its critics in the media — and specifically to spread details of the personal life of a female journalist who has criticized the company."

The executive was Emil Michael, a senior vice president:

"Michael was particularly focused on one journalist, Sarah Lacy, the editor of the Silicon Valley website PandoDaily, a sometimes combative voice inside the industry. Lacy recently accused Uber of “sexism and misogyny.” She wrote that she was deleting her Uber app after BuzzFeed News reported that Uber appeared to be working with a French escort service."

Then, BuzzFeed reported on Wednesday that Uber:

"... is investigating its top New York executive for tracking a BuzzFeed News reporter without her permission in violation of what the transit giant says has long been its privacy policy. The company also published its privacy policy for the first time on Tuesday, though it said the policy had always been in effect..."

What the "God View" tool is and does:

"Tracking customers is easy... two former Uber employees told BuzzFeed News. They said God View, which shows the location of Uber vehicles and customers who have requested a car, was widely available to corporate employees. Drivers, who operate as contractors, do not have access to God View."

Uber is headquartered in San Francisco. Travis Kalanick is the Chief Executive Officer and Co-Founder. Salle Yoo is the General Counsel. The list of investors includes actor Ashton Kutcher, Goldman Sachs, and Google Ventures. The Daily Beast listed ten Uber horror stories customers experienced. Rightly so, Uber executives face tough questions in Congress.

The Los Angeles Time reported:

"Uber has been come to known for its aggressive tactics, including making controversial statements, attempting to undercut its key rival Lyft by poaching their drivers and heavily criticizing the taxi industry's traditional way of doing business. Where does it all come from? Three of the values that employees are judged on are "fierceness," "super pumpedness" and "scale" (increasing the number of users)..."

Regardless of whether or not Michael stays at Uber, the issues remain regarding privacy, tracking of customers, and a questionable corporate culture. And, I'm sure that many government spy and law enforcement agencies would eagerly use, if they don't already, geolocation output from the God View tool.

If you use Uber, what are your opinions of the service? Of the God View tool? Do you turst Uber? Do you trust other social networking services not to track real-time, via their mobile apps, your physical movements?


Firefox Browser Includes DuckDuckGo Search Engine For Online Privacy

On Thursday, Firefox tweeted the following:

Firefox tweet about DuckDuckGo.com

A software update sent to Firefox browser users on Wednesday included several privacy enhancements: the DuckDuckGo search engine and the Forget button to erase browsing history. Regular readers of this blog already know about the DuckDuckGo search engine. The IveBeenMugged blog first reported about it in January 2013.

Learn more about the search engine features in the Firefox browser, and how to select DuckDuckGo as your default search engine. Twitter users can follow the discussion using the #ChooseIndependent hashtag.


Consumer Opinions And Attitudes About Privacy

The Pew Research Internet Project released the results of a survey of American adults' views about privacy. First, privacy means different things to different people:

"... privacy applies to personal material—their space, their “stuff,” their solitude, and, importantly, their “rights.” Beyond the frequency of individual words, when responses are grouped into themes, the largest block of answers ties to concepts of security, safety, and protection. For many others, notions of secrecy and keeping things “hidden” are top of mind when thinking about privacy."

Former NSA contractor Ed Snowden began leakingd documents in June 2013 about the government ongoing surveillance programs. Pew Research found:

"... 43% of adults have heard “a lot” about “the government collecting information about telephone calls, emails, and other online communications as part of efforts to monitor terrorist activity,” and another 44% have heard “a little.” Just 5% of adults in our panel said they have heard “nothing at all” about these programs."

Survey respondents lack confidence that they have control over their personal information:

"91% of adults in the survey “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies.

88% of adults “agree” or “strongly agree” that it would be very difficult to remove inaccurate information about them online.

80% of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.

70% of social networking site users say that they are at least somewhat concerned about the government accessing some of the information they share on social networking sites without their knowledge"

Are government spy programs a concern? Should government do more to protect consumers. Here's are survey respondents answered:

"80% of adults “agree” or “strongly agree” that Americans should be concerned about the government’s monitoring of phone calls and internet communications. Just 18% “disagree” or “strongly disagree” with that notion.

64% believe the government should do more to regulate advertisers, compared with 34% who think the government should not get more involved.”

Historically, web sites have typically claim that the online data collection is necessary to serve up relevant advertisements and/or to provide free services. Here's what survey respondents said about that:

"61% of adults “disagree” or “strongly disagree” with the statement: “I appreciate that online services are more efficient because of the increased access they have to my personal data.”

At the same time, 55% “agree” or “strongly agree” with the statement: “I am willing to share some information about myself with companies in order to use online services for free.”

Pew Research found that most repondents felt the most unsecure on social networking websites, followed by chat and instant messaging services. Respondents felt the most secure on landline phones when they need to share private information. Most people want to protect their privacy online, but it feel it is impossible to be anonymous online.

People considered their Social Security Numbers the most sensitive personal data. The rank order of personal data elements from the most to least sensitive:

  1. Social Security Number
  2. State of their health and medications taken
  3. Content of phone conversations
  4. Content of e-mail messages
  5. Physical location over time (geo-location)
  6. Content of text messages
  7. Phone numbers called
  8. Birth date
  9. Relationship history
  10. Websites visited
  11. Keywords used at online search engines
  12. Religious views and religion practiced
  13. List of friends
  14. Political views and candidates supported
  15. Media liked
  16. Purchasing habits (products/services bought)

This list can be used to measure the intrusiveness of  social networking sites. For example, Facebook collects directly via member interactions items 2, 4, 5, 6, 8, 9, 10, 11, 12, 13, 14, 15, and 16.

The survey included 607 adults who GfK Knowledge Panel members. The survey was conducted online in english January 11 - 28, 2014.

What are your opinions of the survey results?


Tech Industry Group Issues Statement On President Obama's Net Neutrality Proposal

Internet Association logo Yesterday's blog post discussed President Obama's statement on net neutrality, which proposed several rules and a reclassification of Internet services to keep the Internet consumers know and love both fair and equal. The proposed rules, in my opinion, would also encourage lower prices, and increased competition.

The Internet Association responded with the following statement:

"The Internet Association applauds President Obama’s proposal for the adoption of meaningful net neutrality rules that apply to both mobile and fixed broadband. As we have previously said, the FCC must adopt strong, legally sustainable rules that prevent paid prioritization and protect an open Internet for users. Using Title II authority, along with the right set of enforceable rules, the President’s plan would establish the strong net neutrality protections Internet users require. We welcome the President’s leadership, and encourage the FCC to stand with the Internet’s vast community of users and move quickly to adopt strong net neutrality protections that ensure a free and open Internet.”

The association includes many of the brands you know and love:

  • E-commerce: Amazon.com, Ebay, Etsy
  • Publishers: Netflix
  • Search: Ask, Google, Yahoo
  • Social: Facebook, Flickr, LinkedIn, Match.com, OKCupid, Reddit, Twitter, Vimeo, Zynga
  • Survices: About.com, AOL, Monster.com, PayPal, Rackspace, StubHub
  • Travel: Airbnb, Expedia, Hotels.com, Lyft, TripAdvisor, Uber, Yelp

Facebook logo What can consumers make of this statement?

It sounded like mild support to me. The New York Times analyzed the tech companies' joint statement:

"Silicon Valley’s giant companies have been quiet lately on the question of whether the government should protect an open Internet, which they’ve previously argued is vital to innovation. Don’t count on them staking out a stronger position even though President Obama has stepped into the fray... In another era, the White House’s position might have elicited squeals of joy from the technology giants, which have long maintained that the future of innovation online depends on such strict net neutrality rules. But Google, which was once the industry’s most ardent supporter of net neutrality, and Facebook, which could mobilize millions of supporters through its service, both declined to comment on Mr. Obama’s position."

People expected a stronger statement from these tech companies. An example:

"Consider, for instance, the pro-neutrality argument offered by Etsy, which is a marketplace for handmade items. Most Etsy sellers are women who have set up shop in their homes. “The Internet has allowed them to compete with big brands in the global marketplace, and we felt that was under threat,” said Althea Erickson, the company’s public policy director. Ms. Erickson pointed out that Etsy makes low margins, taking just 3.5 percent of every transaction. It would not have been able to pay for priority access if broadband companies ever created a fast lane online... Delays of even fractions of a second result in dropped revenue for our users.”

As I said in yesterday's blog post, there are three chief benefits to the rules proposed by the President: more competition, lower prices, and J-O-B-S; all of which benefit consumers. Lower monthly Internet prices would enable more small- and home-based businesses to use sites like Etsy.

Google logo So, you'd think that tech companies with large customer segments of small and medium businesses would have provided far stronger support the President's net neutrality statement. You'd think that any corporation with an explicit goal to, "organize the world's information and make it universally accessible" would express the strongest support possible for net neutrality. It seems that in the race for profits, tech companies have concluded that it is better, easier, and more profitable to favor large corporations and wealthy individuals over small/medium businesses and consumers.

What are your opinions of the statement by the Internet Association? Of tech companies' mild support of net neutrality?


President Obama Asks The FCC To Implement Rules To Keep The Internet Fair And Equal

Federal communications Commission logo In a strong statement, President Obama shared his plan to keep Internet access open and fair, what is often referred to as "net neutrality." For those unfamiliar with the issue:

"Most Internet providers have treated Internet traffic equally. That's a principle known as "net neutrality" — and it says that an entrepreneur's fledgling company should have the same chance to succeed as established corporations, and that access to a high school student's blog shouldn't be unfairly slowed down to make way for advertisers with more money."

In his statement, the President explained:

"Net neutrality has been built into the fabric of the Internet since its creation — but it is also a principle that we cannot take for granted. We cannot allow Internet service providers (ISPs) to restrict the best access or to pick winners and losers in the online marketplace for services and ideas. That is why today, I am asking the Federal Communications Commission (FCC) to answer the call of almost 4 million public comments, and implement the strongest possible rules to protect net neutrality."

The rules the President asked the FCC to adopt:

"No blocking. If a consumer requests access to a website or service, and the content is legal, your ISP should not be permitted to block it. That way, every player — not just those commercially affiliated with an ISP — gets a fair shot at your business.
No throttling. Nor should ISPs be able to intentionally slow down some content or speed up others — through a process often called “throttling” — based on the type of service or your ISP’s preferences.
Increased transparency. The connection between consumers and ISPs — the so-called “last mile” — is not the only place some sites might get special treatment. So, I am also asking the FCC to make full use of the transparency authorities the court recently upheld, and if necessary to apply net neutrality rules to points of interconnection between the ISP and the rest of the Internet.
No paid prioritization. Simply put: No service should be stuck in a “slow lane” because it does not pay a fee. That kind of gatekeeping would undermine the level playing field essential to the Internet’s growth. So, as I have before, I am asking for an explicit ban on paid prioritization and any other restriction that has a similar effect."

These rules are a good start. The "no throttling" rule is important as cases have already documented throttling by some ISPs.  The President also said in his statement:

"I believe the FCC should reclassify consumer broadband service under Title II of the Telecommunications Act — while at the same time forbearing from rate regulation and other provisions less relevant to broadband services. This is a basic acknowledgment of the services ISPs provide to American homes and businesses, and the straightforward obligations necessary to ensure the network works for everyone — not just one or two companies."

Will the FCC Commissioners and FCC Chairman Wheeler listen to the President's proposed rules? Will Chairman Wheeler and the FCC listen to feedback from four million consumers, or to a few large ISPs? I hope the FCC listens to consumers, the people who pay for Internet services. It is useful to remember that Chairman Wheeler previously was a lobbyist for the telecommunications and ISP industry. A prior proposal by the FCC was fake net neutrality. Despite four million comments from citizens, FCC Chairman Wheeler already expressed interest in doing something different than the President's proposed rules.

As I see it, there are three chief benefits with the President's plan that Chairman Wheeler fails to address. First, lower Internet prices. Americans already pay the highest prices in the world for Internet access. The President's rules encourage more competition, which will lower the monthly Internet prices we all pay. Readers of this blog are aware of the limited competition in many cities, towns, and rural areas, including local laws in 20 states that prohibit citizens from forming municipal broadband Internet services. The major ISPs have done, and continue to do, everything possible to both restrict competition and to keep monthly Internet prices sky high. And, a few misguided politicians who know nothing about the Internet are happy to keep your monthly Internet prices high by serving the financial needs of their corporate donors.

Second, the President's rules mean J-O-B-S. How? Lower prices make it easier for small and medium businesses to start, grow, and hire. That means J-O-B-S. Do the large ISPs care about job-creation? I think not. By design and structure, the focus of any corporation is to increase its profits and meet the needs of its shareholders (e.g., maximize dividends); and not meet the needs of the broader community of Internet users.

Third, a healthy democracy needs access to information by citizens. Do you want the strongest democracy possible? I think you do. I do. Lower prices make it easier for more citizens to have Internet access. Stop by any coffee or doughnut shop near where you live and notice the number of people using the free WiFi because they can't afford it at home. Lower prices help close the digital divide between the haves and the have-nots.

Read or listen to the President's plan to keep the Internet fair and equal. Do you want lower monthly Internet prices? I think that you do. I do. Without net neutrality, you will have less choice and say about where to surf on the Internet, and you'll probably pay a lot more.

To learn more about net neutrality, citizen feedback to the FCC, and prior abuses by ISPs, read the Internet Access section of this blog. What the FCC finally decides will affect us all for decades. What are your opinions of the President's rules? Of the FCC?


Home Depot Discloses More Details About It Data Breach Affecting 53 Million Shoppers

Home Depot logo If you shop at Home Depot, then today's blog post is for you. On November 6, 2014, Home Deport disclosed more details about its data breach investigation. Criminals gained access to the retailer's computer network by using a third-party vendor's credentials (e.g., user name and password), and:

"These stolen credentials alone did not provide direct access to the company's point-of-sale devices. The hackers then acquired elevated rights that allowed them to navigate portions of Home Depot's network and to deploy unique, custom-built malware on its self-checkout systems in the U.S. and Canada...  separate files containing approximately 53 million email addresses were also taken during the breach. These files did not contain passwords, payment card information or other sensitive personal information."

The announcement did not explain how the criminals gained "elevated rights" with the stolen credentials. Home Depot did not disclose the name of the third-party vendor.

In a prior September 8, 2014 press release (Adobe PDF, 188.4K), the retailer confirmed the breach affecting shoppers who used credit cards in its stores during April to September of 2014. The retailer began its breach investigation on September 2 after several banks and law enforcement agencies notified it of a possible breach. Also on September 8, the retailer offered affected shoppers free credit monitoring services. To learn more about these services, interested shoppers should visit the Home Depot website or call in the USA 1-800-HOMEDEPOT (800-466-3337). Shoppers in Canada should call 800-668-2266.

In its latest announcement, Home Depot said it is notifying affected shoppers in the United States and Canada. The stolen e-mail data means that affected shoppers should also be on alert for phishing e-mail scams designed to trick consumers to reveal their sensitive personal and financial information.

How should consumers view the Home Depot's breach?

53 million affected shoppers is a massive breach. If your credit card payment information has been stolen, the hackers will likely sell the stolen information to other criminals who will then try to use the stolen information to make purchases and/or take out new loans fraudulently. This is what identity criminals do. So, it's wise to seriously consider the retailer's offer of free credit monitoring services.

As things progress, we will probably hear more details about its breach investigation. In its latest announcement, Home Depot did not disclose how many shoppers experienced both stolen e-mails and stolen credit card payment information. This overlap is important. If the overlap was 100 percent, then that says something very different than an overlap of 5 percent. If the overlap was concentrated in certain stores or states, then that says someting else. To feel comfortable about shopping at Home Depot, shoppers deserve an explanation of both the overlap and how the related security holes are being fixed.

Back in September, Home Depot took the opportunity in its breach announcement to also announce the upcoming availability of its smart loyalty cards with EMV chips embedded. It seems that the retailer hopes that its smart loyalty cards will help make shoppers feel comfortable. So, we'll probably hear more about its smart cards during the coming weeks. However, smart cards alone do not make a secure computer network and purchase transactions.

While consumers may not focus upon the "elevated rights" statement in Home Depot's latest announcement, you can bet that data security experts, banks, and other retailers are watching closely. Why? eWeek provided an interesting analysis:

"That's the real root cause, in my view—a privilege escalation flaw. Getting into the network itself is interesting, but without the right privileges, which the third-party vendor did not have, the attacker could not do any damage... Home Depot has also reiterated that the malware that was deployed by the attackers, once they had executed their privilege escalation attack, was malware that had previously been unknown. That means it was not the Backoff malware that has impacted 1,000 retailers. What the new Home Depot breach details clearly show is that the breach was a multistage attack that wasn't just about any one failure but rather several defensive inadequacies. Third-party access was breached by an attacker, so that's one point of failure. The privilege escalation issue is the second. The undetected malware itself is the third point of failure. Finally, the fact that the data was taken out from the network without detection is the icing on the cake."

EMV chips won't fix these four failures. Free credit monitoring services won't fix these four failures. The retailer needs to improve its computer systems end-to-end, as the eWeek analysis suggested. What are your opinions of the breach? Of Home Depot's breach investigation? Of the eWeek analysis?


FBI Director Comey Spoke On Privacy And Government Surveillance

James B. Comey, Director of the Federal Bureau of Investigation (FBI), spoke recently about government surveillance and privacy. You can read Director Comey's full speech online. He proposed a national conversation about privacy and safety:

"... I think it’s important to talk about the work we do in the FBI, and what we need to do the job you have entrusted us to do. There are a lot of misconceptions in the public eye about what we in the government collect and the capabilities we have for collecting information.... My job is to explain and clarify where I can with regard to the work of the FBI.... My goal today isn’t to tell people what to do. My goal is to urge our fellow citizens to participate in a conversation as a country about where we are, and where we want to be, with respect to the authority of law enforcement."

A conversation is good. Some discussion has happened with protests focused on the National Security Agency (NSA). Any urging about discussions should come from members of Congress since that is the body that discusses new laws. When that discussion failed to happen, Mr Snowden urged discussions by the public with the document disclosures. Then, Mr. Comey proceeds to frame the discussion in a way that benefits the FBI:

"... the law hasn’t kept pace with technology, and this disconnect has created a significant public safety problem. We call it “Going Dark,” and what it means is this: Those charged with protecting our people aren’t always able to access the evidence we need to prosecute crime and prevent terrorism even with lawful authority. We have the legal authority to intercept and access communications and information pursuant to court order, but we often lack the technical ability to do so."

Safety problem? Is that all? I think not. It has been pretty well documented in the news media that extensive NSA government spying program could cost U.S.-based cloud-services vendors $35 billion in lost revenues. In simpler terms:

Lost revenues by U.S. high-tech companies = lost American jobs = lost tax revenues to U.S. federal, state, and local governments

Yet, Mr. Comey would have us believe that the discussion is simply about safety versus privacy. To ignore the implications (e.g., lost jobs) is not an honest, full discussion.

Lack the technical capability to do so? I find it hard to believe Mr. Comey's claims. His claims imply that the NSA has not kept pace technically with other agencies, such as the NSA. If so, this needs to be explained to citizens. If so, then maybe the FBI needs better leadership to keep pace technically with other agencies.

While most of the documents disclosed by Mr. Snowden focused upon spy programs by the NSA, we also know that other agencies (e.g., CIA, DHS, FBI, IRS) already wanted access to data collected by the NSA. (By now, they may have some access.) Mr. Comey never acknowledged this in his speech.

When Mr. Comey says they have the legal capability, this is worrisome since there seem to be secrtet laws, scret courts, and secret processes besides the FISA Court. The lack of disclosure means citizens really don't know what is happening. And, in some instances government agencies use Executive Orders, not law.

Mr. Comey's speech gave the impression that the FBI is in a weak position and NSA government surveillance and data collection programs have been rolled back. While there is some proposed legislation, the privacy threatening surveillance programs are still operating. Mr. Comey's comments also gave the impression that the only productive technique is surveillance, data collection, and tracking of mobile devices and phones. I find this difficult to believe, as there are multiple surveillance techniques.

Mr. Comey also said:

"Some believe that the FBI has these phenomenal capabilities to access any information at any time—that we can get what we want, when we want it..."

We citizens have learned that spy programs collect data mostly about ordinary, innocent people. We have larned that photos have been collecting with facial-recognition techniques. Yes, many citizens understand fully how much metadata collection reveals. We are not fooled any more when government officials and politicians claim otherwise. We now understand the concept practice of incidental data collection.

Then, Mr. Comey proceeded to attack encryption:

"We face two overlapping challenges. The first concerns real-time court-ordered interception of what we call “data in motion,” such as phone calls, e-mail, and live chat sessions. The second challenge concerns court-ordered access to data stored on our devices, such as e-mail, text messages, photos, and videos—or what we call “data at rest.” And both real-time communication and stored data are increasingly encrypted... Current law governing the interception of communications requires telecommunication carriers and broadband providers to build interception capabilities into their networks for court-ordered surveillance... The issue is whether companies not currently subject to the Communications Assistance for Law Enforcement Act (CALEA) should be required to build lawful intercept capabilities for law enforcement. We aren’t seeking to expand our authority to intercept communications."

That sounds like an expansion to me... suggesting more companies be required to build interception capabilities into their systems. Mr. Comey is attacking Apple's recently privacy improvements. He is suggesting that "back doors" be required legally, so that spy agencies can access information. In his speech, Mr. Comey didn't address a key security issue: the bad guys access the same back doors. This makes software less secure.

Sadly, this isn't the first time that spy agencies have attempted to weaken encryption. In his speech, Mr. Comey added:

"And if the challenges of real-time interception threaten to leave us in the dark, encryption threatens to lead all of us to a very dark place."

That implies the government's (e.g., FBI) surveillance needs which target a few terrorism suspects trump or outweigh the secure software. Supposedly, the government's spy needs outweigh your choices about what you choose to keep private: health issues, topics related to your minor children, proprietary business secrets, and more.

We live in a country that values freedom. One freedom includes the choice about what personal information we keep private or choose to share, with whom, and when. Another freedom is the choice to keep private with encryption. information to protect ourselves, our businesses, and proprietary information our employers entrust us with. It is a huge loss of freedoms for consumers to lose these freedoms.

We live in a capitalist society where jobs are important. The lost business and lost jobs consequences from government spying programs can't be ignored by framing the discussion simplistically as "safety versus privacy."

The Electronic Frontier Foundation (EFF) replied to Mr. Comey's speech:

"The FBI should not be in the business of trying to convince companies to offer less security to their customers. It should be doing just the opposite. But that's what Comey is proposing—undoing a clear legal protection we fought hard for in the 1990s. The law specifically ensures that a company is not required to essentially become an agent of the FBI rather than serving your security and privacy interests. Congress rightly decided that companies (and free and open source projects and anyone else building our tools) should be allowed to provide us with the tools to lock our digital information up just as strongly as we can lock up our physical goods. That's what Comey wants to undo."

The EFF also explained the law:

"Here's the relevant part of CALEA that Comey wants to effectively undo: "47 USC 1002(b)(3): A telecommunications carrier shall not be responsible for decrypting, or ensuring the government’s ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication." Also from the CALEA legislative history: "Finally, telecommunications carriers have no responsibility to decrypt encrypted communications that are the subject of court-ordered wiretaps, unless the carrier provided the encryption and can decrypt it. This obligation is consistent with the obligation to furnish all necessary assistance under 18 U.S.C. Section 2518(4). Nothing in this paragraph would prohibit a carrier from deploying an encryption service for which it does not retain the ability to decrypt communications for law enforcement access ... Nothing in the bill is intended to limit or otherwise prevent the use of any type of encryption within the United States. Nor does the Committee intend this bill to be in any way a precursor to any kind of ban or limitation on encryption technology. To the contrary, section 2602 protects the right to use encryption." H/T Chris Soghoian: http://paranoia.dubfire.net/2010/09/calea-and-encryption.html"

What are your opinions of Mr. Comey's speech? Of the EFF response?