[SecurityRatty] tag: delay

Leading Travel Writer Reams Out In-Flight Internet

Tue, 19 Aug 2008 05:34:03 +0000

Joe Brancatelli pokes beneath the surface of claims that in-flight Internet is imminent: I've covered some of the same ground, but veteran travel writer Brancatelli connected the dots by checking with the FAA to find the status of applications for aircraft certification by Aircell and others.

He's not very positive about it, because his research shows a mismatch between claims and work. He writes that an unnamed American airline executive is frustrated by the delay in launching the 3-to-6 month pilot on their trans-continental fleet; that Aircell hasn't submitted paperwork for Virgin's Airbus models for certification; and that the FAA just received a request to certify Delta's MD-80 craft, which makes a launch with 75 planes this year on that airline less likely.

Competitor Row 44 doesn't fare better in his analysis, as they promised spring and summer 2008 tests that still haven't happened, with Southwest and Alaska Airlines.

I'm a little more positive about the future of in-flight broadband. There's no particular conspiracy. It's hard to make it work. Development and testing is tricky due to FAA limits, and getting in-flight handoffs to work for seamless service at 35,000 feet is far more difficult than, say, cellular handoffs in a moving car at 100 feet above sea level. My suspicion is that tuning the service to be entirely reliable at launch is what's taking so long.

Brancatelli blames the high price of Connexion on its failure, but I don't think the $27 fee for long-haul flights deterred users. Lufthansa, which deployed all its long-haul fleet, apparently had very good usage. Most other airlines had few craft equipped, which didn't allow business travelers, able to expense several hours of work for a $27 fee, the reliability of having on-board Internet when they needed it. Connexion also had many reports of spotty service in certain areas.

Connexion's failure came from deploying technology that was old when it was deployed, which weighed too much, and which was too expensive to install. Connexion's revenue and expenses were forecast based on having several hundred aircraft with Connexion service--recall that it was supposed to be a domestic U.S. service, too. In the end they had about 100, I believe.

Brancatelli is also modest when he says Boeing "lost" $300m. That's part of what they wrote down. My sources say they spent more than a billion in R&D, transponder leases, ground station operation, airline incentives, and payoffs at the end.

A hopefully terminal delay in enhanced advertising

Sun, 17 Aug 2008 20:00:00 +0000

NebuAd, an advertising service that tracks users' Web activities, is feeling the heat from Congress and others.

Delayed printing from AS/400 on Windows 2003 network server

Wed, 30 Jul 2008 10:42:13 +0000

A delay in printing from AS/400 on Windows 2003 network server is likely because of the default time for the Windows server to accept the incoming connection.

Social Security Administration lists live people in the Death Master File

Mon, 07 Jul 2008 04:44:12 +0000

Technorati Tag: Security Breach

Date Reported:
6/26/08

Organization:
U.S. Government

Contractor/Consultant/Branch:
Social Security Administration

Victims:
United States citizens

Number Affected:
"more than 20,000"

Types of Data:
Name, date of birth and Social Security number

Breach Description:
"The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive"

Reference URL:
FederalComputerWeek

Report Credit:
Michael Hardy, FederalComputerWeek

Response:
From the online source cited above:

The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive, the agency's inspector general has determined.
[Evan] "The DMF is a publicly available database maintained by SSA that contains detailed information on more than 82 million deceased numberholders. Each year, SSA receives death reports for more than 2.5 million individuals and adds the information to the DMF. " (Source: SSA Inspector General AUDIT REPORT A-06-07-27156). This breach was not the result of single occurrence, but instead is a result of errors in current process.

The IG's analysis dates to January 2004.

Since then, SSA has made the live people's Social Security number, full name, date of birth, and state and ZIP code of last known residence available to users of the database
[Evan] The organization that distributes and manages the "system" cannot secure the information. Is this is just another case that proves that the "system" is busted?

After learning that those people were not deceased, SSA deleted the information

The IG's investigators found some instances where the personal information was available for free viewing on the Internet

SSA provides the data to the Commerce Department's National Technical Information Service (NTIS), which in turn sells it to customers.
[Evan] Selling a dead man's (or woman's) information doesn't seem right to me. Do you see anything wrong with it?

Customers include the government, investigative businesses, financial and credit reporting firms, and geneaology researchers.

Some, including prominent geneaology Web sites, post some or all of the information online for their users.

To prevent a repeat of the situation, the IG's recommendations include:

Implementing a risk-based approach for distribution of DMF information. One suggestion: Have NTIS delay release of updates to public customers for one year to give SSA ample time to correct erroneous entires.
Limiting information included in the data sold to public customers.
Starting required breach notification evaluation procedures.
Providing appropriate notification to living individuals whose information was released in error.

In response to the IG's report, SSA said limiting the personal information might be difficult, but it would consider doing so.
[Evan] There are many practices to secure information that "might be difficult", but this is not a good excuse. Life "might be difficult", so what?

The agency agreed with the other recommendations.

Commentary:
The use of Social Security numbers as personal identifiers as well as authenticators seems to be a very significant contributing factor to the identity theft mess we face today. So how did Social Security numbers become so important in the first place? Read the "Social Security Number Chronology" on the Social Security Administration web site for some clues.

To my knowledge, the victims in this breach have not been (nor will they be) notified.

Past Breaches:
U.S. Government:
March, 2008 - A breach that hits home with 2008 presidential candidates
March, 2008 - Laptop stolen from NHLBI contained personal health information

Your 419 Mail Roundup

Wed, 02 Jul 2008 13:11:42 +0000

A handful of scam mails currently in circulation, including one mention of "groundnut oil" that seems so bizarre I had to highlight it in bold text. All this and more, after the jump...
Subject:
FROM THE DESK OF MR. STEVEN JAMES
From:
"Steven James"
Date:
Mon, 30 Jun 2008 19:17:03 +0100
BCC:

FROM THE DESK OF MR. STEVEN JAMES
CHAIRMAN INTERNATIONAL RELATION
FIRST BANK OF NIGERIA PLC
# 1 BANK ROAD WUSE FCT
ABUJA-NIGERIA.
PHONE: +234-80-66520277
Email: stevenjames809@live.co.uk

Very Urgent Attention,

Please permit me to introduce my humble self to you, my name is Mr. Steven James, I am the Manager of International Relation with First Bank of Nigeria Plc, I 'm 38yrs old, and I got your email address from a friend of mine, and my confidence reposed on you. I hope you read this message carefully and reply me immediately. Although we have not met before, but I suggest that this transaction will bring us together.

My dear, we had a customer, a foreigner but base here in Nigeria, his Name was Mr. Hamilton Creek. He is from Atlanta Georgia United State of America, but based here with his wife and his two children, Mr. Hamilton has being banking with us for the past 4yrs and some time in August 2002, Mr. Hamilton was on his way to his house, and unfortunately ran into a Trailer load of Groundnut Oil, and died   immediately, Their car got burnt, no single soul was saved, Mr. Hamilton Creek and His entire family was confirmed dead.

My Board of Directors and the Management of First Bank has mandated and instructed me to look for Mr. Hamilton Creek? Relation(s) and his Next of Kin to come and claim his fund, Since August 2003 till date, I have been looking for his relation's or his next of Kin to come and claim his fund which he Deposited with our bank, I have contacted his Embassy and after 3days, his Ambassador told me that Mr. Hamilton Creek has no relation and no next of Kin, their Ambassador told me that he used his first son as His next of kin, but it is quite unfortunate that Mr. Hamilton Creek Died with all his family members.

The reason why I contacted you is thus, Mr. Hamilton is dead, and his only son who supposed to inherit his properties and money also died with him. As at this moment, nobody or person[s] is coming to   claim this Money from our bank. The Board of Directors and management of our bank told me that if nobody or person[s] apply for the claim of Mr. Hamilton Fund, the bank will return the entire Fund into our Federal reserve. In the Light of the above, I want you to stand as the next of kin to Late Mr. Hamilton Creek; it might interest you to know that he had a Domiciliary Bank Account with our Bank and he has a total sum of US$9.2M Nine Million Two Hundred thousand Dollars, this is the exact amount which he had in his domiciliary account before the ugly incident occurred, and this money is still in his account as unclaimed money.

This transaction is very easy and simple, and it is 100% risk free, I'm the Manager for International Relations with First Bank of Nigeria Plc, and the Management and Board of Directors of the Bank are waiting for me to provide to them the Relation or next of Kin to late Mr. Hamilton Creek, of which I told them that I am still searching the next of kin to the deceased. Finally, if you are interested with this transaction, I will front you to the bank as the only next of kin to late Mr. Hamilton Creek, and I will let the bank know that you are the only right person to inherit Late Mr. Hamilton Funds and properties. If you are interested, just email me or call me on my   direct and private line#: +234-80-27536038 and late Mr. Hamilton's Funds will be credited into your account and all his Properties will be released to you either through Courier Services or the Bank will Cargo all his properties to you in any were you want it.

So reply me immediately and feel free to ask any question with regards to this transaction. You will take 50% of the US$9.2M. Which is? US$4.600, 000.00 Four Million Six Hundred Thousand Dollars, while the Balance of the same amount will be mine.

Your swift response will be highly appreciated.

Thanks and have a nice day.

Friendly Regards

Mr. Steven James

*******************************************************************************************

Subject:
REPRESENTATIVE NEEDED
From:
DFS SALES LTD UK
Date:
Tue, 01 Jul 2008 23:00:55 +0800
To:
undisclosed-recipients: ;

COMPLIMENT OF THE DAY TO YOU.

I am PETER WOODS from DFS SALES LTD UK.(
Website: www.dfs-online.co.uk ) Visit our site

We are into furnitures and we sell shares to people in
Canada,America, Australia and Europe.

We are in need of a book keeper. someone who can represent our company
in his/her country.

Our client in your location will contact you and make the company
payment to you.

You will be entitle to 11% of every payment been made out to you.

This is because most of our officer are from china and they do not

understand english very well.its hard for them to contact our
customers.

Our head office is located in CHINA. But we have a sub-office in the
uk.

If you are interested, Kindly send the entries for more understanding.

NAME IN FULL :.........
COMPANY NAME: .....
POSITION:......
FULL ADDRESS: .......
CITY/TOWN:........
STATE:............
ZIP CODE:........
COUNTRY:.......
MOBILE:.......
HOME TEL: .....
EMAIL ADDRESS: ........
OCCUPATION: ...........
BANK NAME :.......
AGE:............

You are to send the above details to

NAME : PETER WOODS.
EMAIL : dfs_woods@yahoo.co.uk
PHONE NUMBER : +44-704-575-0212

HOPE TO HEAR FROM YOU

*****************************************************************************************

To:
undisclosed-recipients:;

Good day!!!

We have been waiting for you since to contact me for your Confirmable Bank Draft of ?18 Million (Eighteen Million Pounds sterling) but we did not hear from you since for a couple of weeks now. Then we went to the bank to confirm if the draft that expired or getting near to expire and Metropolitan Police Uk told us that before the funds will get to your hand that it will expire.So I told him to cash the ?18 Million (Eighteen Million Pounds sterling) to cash payment to avoid losing this fund under expiration as I will be out of the country for a 6 Months Course.

What you have to do now is to contact FED EX COURIER SERVICES as soon as possible to know when they will deliver of your funds to you because of the expiring date. For your information we have paid for the delivering Charge Insurance premium. The only money you will send to the FED EX COURIER SERVICES to deliver your cheque direct to your postal Address in your country is ?250.00 being Security Keeping Fee of the Courier Company so far. Again don't be deceived by anybody to pay any other money except ?250.00 for the Security Keeping Fee.We would have paid that but they said no because they don't know when you will contact them and in case of demurrage. You have to contact FED EX COURIER SERVICES now for the delivery of your Draft with this
information below:

CONTROLLER: Mrs.Helen Williams
NAME: FED EX COURIER SERVICES
ADDRESS: fedexofficeuk@gmail.com
PHONE NUMBER: +447024080684

IF YOU ARE THE OWENER OF THE FUNDS AND YOU WILL SEND YOUR INFORMATION TO US SO THAT WE CAN DELIVERY YOUR FUNDS TO YOU WITHIN THE NEXT 84HRS TIME.IF YOU DO NOT RECEIVED YOUR FUNDS WITHIN THE NEXT 72HRS TIME AND YOU REPORT US THE UK FBI AND THE METROPOLITAN POLICE (SCOTLAND YARD) or YOU CONTACT YOUR LAWYER TO TAKE UP PROCEDURES AGAINST US.

Let me repeat again try to contact them as soon as you receive this mail to avoid any further delay and remember to pay them their Security keeping fee of ?250.00 for their immediate action. The FED EX COURIER SERVICES don't know the contents of the funds. This is to avoid them delaying with the funds.

Thanks as you contact them today.

Yours Faithfully

Mrs Helen Williams.

(The above actually comes with a nifty graphic that they've thrown in, thinking it makes it all look more legitimate. It doesn't, but here it is anyway):

....altogether now: oooooh. A slightly shorter 419 roundup than usual, but I'm sure I'll have piles of the things next week.

Bill Gates retires, Symbian goes open source

Thu, 26 Jun 2008 20:00:00 +0000

Microsoft, usually a source of software patch updates and claims about Vista adoption rates, produced a bit of sentimental news this week as Bill Gates stepped away from his daily corporate duties on Friday. Gates, who founded Microsoft at age 19, will now devote his time to philanthropic work. Meanwhile, the U.S. Senate discussed the issue of laptop searches and seizures at the nation's borders and also decided to delay a vote on a controversial spy bill. While on the topic of controversial plans, an ISP (Internet service provider) suspended a program that would have served up ads based on a user's Internet history after the move sparked privacy concerns. Yahoo, a perennial name in this space, defended its Google ad deal on Wednesday and the next day launched yet another reorganization. Finally, Oracle wants at least US$1 billion from SAP due to infractions supposedly committed by a subsidiary.

Your 419 Mail Roundup

Wed, 25 Jun 2008 09:29:29 +0000

Are you ready for more 419 missives?

Of course you are. Plenty of winning lottery tickets, fictitious banks, a wonderfully sick "Robert Mugabe" themed mail and, er, someone called "Captain Frank Bojo" after the jump...
Subject:
HELLO DEAR
From:
"abavanagift13 Gazeta.pl"
Date:
Sat, 21 Jun 2008 12:26:24 +0000
BCC:

Hello Dear,

My name is Blessing Abavana, the elder daughter of Mr. paul Abavana of Zimbabwe, I am 17 years old with my younger brother (Micheal), we are in Ghana as refuge/asylum since we lost our parents because of the recent war that occurred in our country.please do go through this web page for better understanding with full details:

http://www.rte.ie/news/2000/0418/zimbabwe.html

I am looking for one who will honestly assist my younger brother and I to realize our inherited funds into your account and as well as invest it into a lucrative business.

During the recent war against the farmers in Zimbabwe from the supporters of our President, Robert Mugabe to claim all the white -owned farms to his party members and his followers, he ordered all the white farmers to surrender all their farms to his party members and his followers.

My father being one of the few rich and successful black farmers in our country was also victimized because of his opposition to Mugabe's policies. And because he did not support Mugabe's ideas, Mugabe's supporters invaded my father's farm and burnt everything in the farm, killed my father and made away with a lot of items in my father's farm. This action was taken because my late father felt the growing tension on the farm issue, but I guess he never anticipated the tragedy that brought their brutal and sudden death.

However with the benefit of hindsight, owing to the looming but deteriorating crisis in my country, Zimbabwe, my father, before his unfortunate death deposited with International Commercial Bank (ICB) here in Accra Ghana the sum of US$ 35MUsd (Thirty Five Million United States Dollars), with the sole aim of acquiring and buying some dredging equipments in setting up of a dredging firm with his partner. With his death and all his assets seized at home and accounts frozen, the family is now in a very difficult situation.

After the death of my father, my brother and I escaped to the Republic of Ghana where he had deposited the money in the Bank . And we were permitted to reside here as Political Refugees.

So Because of our present and unpleasant status here we decided to contact an overseas firm / individual that can assist us to move this money out Of Ghana because, as asylum seekers, we are not allowed to operate any financial transaction of such amount within Ghana and also to assist in providing me and my brother a permanent residential permit in your country after the money must have been transferred to your account.

We have agreed to offer you 30% of the total sum for your assistance, and the rest will be for my brother and I, to Invest in your country under your assistant

All I want you to do is to furnish me with the below information including your readiness to assist me achieve this transaction for investment purposes in your country under your supervision. Kindly re-confirm to me the followings:

1) Your Full Name:
2) Phone, Fax and Mobile
3) Profession, Age and Marital Status.
4) Nationality

I have to re-assure you that this transaction is 100% risk free and should be treated with absolute confidentiality. All the vital documentation/certification that has to do with the origin of the fund is with me for the security reasons.And I will send them to you when we progress.And I guarantee you that this fund is not government fund, drug money, or from arms deals.

I will detail you more about the bank immediately I receive your acceptance response. I hope this is the beginning of a prosperous relationship between us.Thanks and God bless you

Regards

Blessing/Micheal Abavana

(Wow, spectacularly sick. Not that we're expecting scammers to have any morals, of course).

*********************************************************************************************

Subject:
Lycos Online Lottery Notification
From:
"LHOUTY MOHAMMED HASSANE"
Date:
Sun, 22 Jun 2008 02:42:53 -0000
BCC:

LYCOS LOTTERY ONLINE
8th Floor
1 Stephen Street
London
W1T 1AL

WINNING NOTIFICATION
This is to inform you that your email address has won the Lycos Lottery for the year 2008. your email has won you the sum of ?952,350.00 (Nine Hundred And Fifty Two Thousand, Three Hundred And Fifty pounds sterling).
You are advised to keep this notice confidential to avoid misinterpretation of funds and unauthorize claims, cheating or fraud.
To claim your funds please contact us with the information below.
Name: Dr. George Stevenson
Tel:+447031991681
Email:lycosclaimsdpt@gmail.com

It is mandatory that you send us your full names, address, phone number,
age, sex and occupation to enable us arrange your claim.

Note: Winners were selected through a computer ballot system drawn from Microsoft users from company and individual email addresse users. All winning must be claimed not later than 21 working days from the time of notification. After this date all unclaimed funds will be returned to European Union Treasury as unclaimed funds.

Congratulations from mambers and staff of Lycos
Lhouty Mohammed Hassane.
Lycos Lottery Co-ordinator

(A "Lycos Lottery" and they're using a GMail address? Doh).

*********************************************************************************************

Subject:
Yukos Oil
From:
Mr. Timinskiy Vladimir
Date:
Wed, 25 Jun 2008 5:38:17 -0400
To:

I have a profiling amount in an excess of US$100.5M, which I seek you in accommodating for me. You will be rewarded with 4% .If intrested, please reply me for moredetails...
Regards
Mr. Timinskiy Vladimir

(Short. Sweet. Pointlessly fake).

*******************************************************************************

Subject:
Immediate Release of Your FUND Via ATM CARD
From:
"Mr. Mark Louis"
Date:
Wed, 25 Jun 2008 01:45:09 -0700
To:
undisclosed-recipients:;

SUBJECT: Immediate Release of Your FUND Via ATM CARD

Attention: ATM Card Beneficiary,

I wish to use this medium to inform you that your CONTRACT/INHERITANCE Paymen of USD$10,000,000.00 (Ten Million United States Dollars) from CENTRAL BANK
OF NIGERIA have been RELEASED and APPROVED for onward transfer to you via an ATM CARD which you will use to withdraw all the USD$10,000,000.00 in any
ATM SERVICE MACHINE in any part of the world, but the maximum you can withdraw in a day is USD$10,000.00 Only.

We have mandated IBTC CHARTERED BANK PLC, to send you the ATM CARD and PIN NUMBER which you will use to withdraw all your USD$10 Million Dollars in
any ATM SERVICE MACHINE in any part of the world. You are therefore advice to contact the Head of ATM CARD Department of IBTC CHARTERED BANK PLC;

Contact Person: Dr. Olu James
Office email address: pcfc_nigeria@yahoo.com
Private: +2347084501007
Office:018969906

Tell Dr. Olu James that you received a message from the CENTRAL BANK OF NIGERIA. Instructing him to send you the ATM CARD and PIN NUMBER which you will use
to withdraw your USD$10 Million Dollars in any ATM SERVICE MACHINE in any part of the world, also send him your direct phone number and contact address
where you want him to send the ATM CARD and PIN NUMBER to you. We are very sorry for the plight you have gone through in the past years. Thanks for adhering to this instruction and once again accept our congratulations.

Best Regards.
Mr. Mark Louis.
Executive Governor,

Central Bank of Nigeria {CBN}.

(Ah, the old "Let's lure them in with the magical bank card" trick).

******************************************************************************************

Subject:
CONTACT THE FEDEX COMPANY FOR YOUR FUNDS
From:
"SAMUEL DUNBAR"
Date:
Fri, 20 Jun 2008 12:33:43 +0100
BCC:

Dear Friend,

Compliment of the new year, I have been waiting for you since to come down here and pick your Bank Draft which my boss left with me before he travelled to England but I did not hear from you since that time till today. I went to the bank to confirm whether the draft is getting close to expire as it had been long time my boss issued the draft. The director of the bank told me that before the draft will get to you, that it will expire. Then I told him to help me and cash the cashier bank draft of $1,500.000.00 to cash payment.

However, I have successfully cashed the draft and packaged it in a box and have registered it in the Fedex Express Company Service here in Benin Republic because I will travell to see my boss in England and will not come back till August 20th 2008. You have to contact the Fedex Express Company Service to know when they will deliver your package to your address. I have paid for the delivering charges and insurance fees. The only money you have to send to them is their security keeping feeswhich is USD$135.00 USD to receive your package. Don't be deceived by any body.

This is their Contact Address;
Attn: Cheif Mr. George Kobra (Director)
Tel: +229-9799 2240
E-mail: fc.bj@sify.com

Send them your contacts information to enable them locate you
immediately they arrived in your country with your package.

This is the information they needed from you.

1. Your full name:.....
2. Your shipping/home address:.....
3. Your tel no #......
4. Your current office tel no #
5. A copy of your passport.

Try to contact them as soon as possible to avoid increasement of the security keeping fees Note; I didn't tell the Fedex Express Company Service that it's money inside the box, I registered it as a church of a Church Minister Materials. This is to avoid delay or any upfront problem during the delivery. So, do not let them know that the package contents money. Do let me know as soon as you received your package. You will contact me only through e-mail as my phone is no longe available now that I am out from our country. Contact me at samdunbar1986@yahoo.com and I will reply as soon as I can.
I wish you and your family Long Life,
Prosperity and Happy 2008.

Thanks and Remain Blessed.

Yours sincerely,
Mr.Samuel Dunbar
(Secretary)

(Honestly, if you contact FedEx they'll give you tons of money....)

****************************************************************************************

That's your lot for another week....

Swedish parliament approves bugging bill, after delay

Tue, 17 Jun 2008 20:00:00 +0000

On Wednesday evening the Swedish parliament voted to approve a bill that will make it possible for local authorities to monitor e-mails, fax messages and telephone calls.

Loving customers frustrate security firms too

Fri, 13 Jun 2008 15:45:37 +0000

Roger Grimes has a good article up on his InfoWorld, Security Advisory blog entitled "Security firms frustrate loving customers". Roger details some specific examples of how security vendors just don't "show the love" to customers and prospective customers, with the result being lost business. Roger highlights three examples:

1. Making renewals a manual process with those annoying phone trees. I agree, when I hear the press 1 for this and press 2 for this, my blood starts to boil. There is no reason that this just can't be built into the product to renew over the web. Security or no, any software vendor not doing it this is just plain crazy.

2. Calling into a company with a sales inquiry and the sales guy never calls back. This one just kills me. When doing due diligence on potential acquisitions at a prior company I would call in or email with a sales inquiry and wait to see how long it would take for them to get back to me. It was a good indication of how well the sales organization and company functioned.

3. Killing the deal with one sided, overly legal and burdensome terms. Another one that I battle all the time. The CFO has to be able to recognize revenue so needs specific T&Cs. The lawyers want to protect the vendor against all eventualities and is doing his job. You want to make as few warranties and representations as possible to limit your liability. The result, the customer gets one sided, unfair document with fine print on maintenance pricing, renewals, SLAs, etc. Most customers don't even read the EULA. Take a lot at some of the ones with software you have bought. It may surprise you.

But in my best Fox News voice, lets be fair and balanced. So in that vein, let me give you 3 specific examples of how loving customers frustrate security firms:

1. The guys who picked the product leave and the new guy comes in and doesn't have a clue. This happens all the time, especially in the government. One guy or team buys the product for a specific reason and has all of the expertise. The new folks come in and even if they know your product is there, they don't know why or how to use it. They may feel they inherited this product and have their own favorite product in this category. They can't wait to replace you and either don't use the product at all or blame the problems of the world on it.

2. Buying the product and than "other priorities" delay implementation. A surefire recipe for shelfware. When I see this happening I tell our folks better to be a pain in the butt and force them to use the product they bought than to sit around watching the license expire on the shelf. The longer the product sits, the more it becomes a nice to have, rather than a must have, that drove the sale. Now sure, one can say that what does the vendor care, the customer paid. If he doesn't use it, less support costs. But you don't get renewals, you don't get upsells or referrals without customers using product.

3. Using the product in unintended ways. Another favorite heartburn of mine. Customers figure just because the application runs Linux underneath, why can"t I run (You Name It). We recently had a customer that was chewing up support hours like the dial at a gas pump today. It turns out the problems we all due to the all of the other software that he had put on the box, not to mention editing .conf files, database tables, etc. It is hard enough supporting the software we developed. It is a whole another story supporting software that you have written.

So Roger, yes the customer is always right and security vendors have to get their act together if they want to survive, let alone compete in these tough economic times. But customers certainly don't make the job any easier with some of the shenanigans they pull.

Axcess Financial reports stolen laptop to New Hampshire AG

Wed, 28 May 2008 07:45:44 +0000

Technorati Tag: Security Breach

Date Reported:
5/13/08

Organization:
Axcess Financial Services, Inc.*

*Axcess Financial Services, Inc. appears to be affiliated or another name for CNG Financial Corp. aka Check 'n Go.

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
Unknown**

**Axcess informed the New Hampshire State Attorney General of 142 residents affected in her state.

Types of Data:
"personal information (such as name, address, and social security number)"

Breach Description:
Axcess Financial Services, Inc. has notified the New Hampshire State Attorney General of a breach involving a stolen employee laptop that contained personal information belonging to customers.

Reference URL:
New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

The purpose of this letter is to inform the New Hampshire Department of Justice that a security breach occurred in connection with a crime involving an employee's stolen computer.

Although information contained within the stolen computer is unlikely to have resulted in unauthorized access due to the password protection and other security measures, we are notifying your office because information contained therein may have included data with some of your residents' personal information (such as name, address, or social security number).
[Evan] Password protection provides very little assurance that the information won't be accessed. What are the "other security measures"?

This crime occurred on or about October 23, 2007, and we filed a police report with state law enforcement officials.
[Evan] October 23, 2007?!

Following the discovery of this crime, an extensive forensic investigation was required to determine the information contained within the stolen property.

There has been no indication that any misuse of this information has occurred in connection with the breach described above.
[Evan] A breach notification almost wouldn't be a breach notification without this statement (or similar).

Notification to the 142 affected New Hampshire residents was mailed in the form of a letter on or about May 13, 2008
[Evan] This is 6 months and 20 days (or 203 days) after the incident occurred! Why the delay? Do you suppose that a "forensic investigation" of the information that may have been on the laptop took this long? Ugh. Maybe the police asked them to wait. Either way, this amount of time seems extraordinarily long.

Axcess Financial fully intends to cooperate with law enforcement in this ongoing criminal investigation and to assist customers with concerns relating to this unfortunate event.

Notification to customers:

We are writing to advise you of a petty crime involving an employee's stolen belongings on October 23, 2007, which happened to include a secure computer that may have contained data with some of your personal information (such as name, address, or social security number).
[Evan] Really? A "petty crime"? Petty as in "of little or no importance or consequence"? This seems like a very poor choice of words, in my opinion. Affected customers may beg to differ.

It is highly unlikely any information has been breached because of password protection security measures.
[Evan] Come on! Password protection (OS-level) in and of itself certainly does not make a breach "highly unlikely".

There are no reported incidences of any issues.

While we are still awaiting the outcome of the police investigation, we are being proactive out of abundance of caution.
[Evan] A display of proactive abundance of caution would be to encrypt laptops and apply tight controls around what information is allowed to be stored on them (among other things).

Because there is a possibility that your personal information could have been subject to unauthorized disclosure, we have arranged to provide you - at our expense - 12 months of a credit monitoring service.
[Evan] How nice.

For any questions, please call 1-888-347-3595

Commentary:
In my opinion, this is one of the worst breach notifications that I have read in some time (if ever). The notification is full of statements meant to minimize importance and risk. There isn't even an apology to customers. Personally, I am glad to not be a customer with personal information under the custodial care of this company.

Disclaimer:
Due to the fact that I was a little harsher in my comments regarding this breach and in my opinion rightly so, I should state that my comments are my opinions. I am limited in the amount of information I have about this breach, so many of my opinions are based on what I read and my own experience. Axcess Financial has much more information surrounding this breach, and as instructed in the notification letter call them with questions.

Past Breaches:
Unknown