Finjan, a data security services firm, reported today that more than 500 megabytes of stolen medical and business data and Social Security Numbers (SSNs) have been found on “crimeservers” in Malaysia and Argentina. The data were stolen from systems for a major airline and a health care provider using widely available hacker toolkits, trojans, and command and control servers.

According to Finjan’s May 2008 Malicious Page of the Month (free registration required), the vulnerable health data was accessible via compromised login information for healthcare systems using Citrix remote access software. Social Security Numbers (TINs - “tax ID numbers” for individuals) were accessible via a compromised IRS employee login.

In early May, Finjan reported on a different server being controlled by hackers that contained a 1.4GB cache of stolen data. Compromised data involved 571 log files from the US, 621 from Germany (DE), 322 from France (FR), 308 from India (IN), 232 from Great Britain (GB), 150 from Spain (ES), 86 from Canada (CA), 58 from Italy (IT), 46 from the Netherlands (NL), and 1,037 from Turkey (TR) and resulted in the company notifying 40 major international financial institutions and law enforcement agencies located in the US, Europe and India.

A number of news sources and commentators are reporting this week on a University of Washington white paper criticizing the recent development of using automated processes (’bots’ or monitoring agents) against BitTorrent and other heavy bandwidth users to generate automated DMCA takedown demands.  Many takedown demands are based solely on observed patterns of Internet use.

Are DMCA bots applying the ‘racial profiling’ equivalent of copyright law enforcement? I’m waiting to see if public rights advocates such as the EFF and ChillingEffects.org will begin to actively use the sanctions already present in Section 512(f) against wrongful and overreaching DMCA takedown demands as a strategic weapon against the shotgun effect of enforcement by “unmonitored” monitoring agents.  The courts have so far declined to impose penalty damages against most rights owners making technically defective claims (the case against Diebold for using the DMCA to suppress criticism of defects in voting machine software is one of the notable exceptions where large damages were awarded).  Carpet-bombing users with defective DMCA cease-and-desist demands is irresponsible and should expose the content industry to money damages for abusive DMCA claims.

It was inevitable, and now it’s “official”: the 2008 Economic Stimulus Payment is the new Nigerian scam.

A few of my clients this week reported receiving one or more phishing emails about the 2008 Economic Stimulus Payment from the US government. Then I received one myself this morning. (”Gee, how could the IRS possibly know I switched email addresses?” was my first thought.) Here’s the email I received:

Don’t click on the link.  Don’t click on the link.
The rule is worth repeating.  Practice safe Internet computing — don’t click on a link in an email seeming to come from your bank, eBay, PayPal, or your federal government about your “account details” or to “apply” for something. Go to the official site and do your business starting from there (or investigate or report the phishing email, from there).

The grammatical and formatting errors which allow users to identify phishing scams are becoming much more subtle as the phishes and the phishers themselves become more refined. Note to Phish-Dude: there are some big issues in your general approach here. It is generally a tip-off to us where the federal government uses an exclamation (”!”) point at the end of any communication. We’re just not that officially enthusiastic about anything here in the U.S. Also, while I personally consider the stimulus payment to be a kind of ‘moral refund’ for putting up with the last 8 years of government, the payment is technically not a refund, but a disbursement. (Readers are welcome to offer other grammar and spelling observations and feedback in the Comment section.)

Clicking through (don’t click on the link!) redirects the email recipient to the following page:

While you don’t have to, I frequently amuse myself by picking the IP address out of the email link (my email program, Thunderbird, allows me to right-click and copy a link). Phishing scam emails have URL links that almost always show an IP address rather than text, as this one did:

http://211.32.47.11:443/irs_redi/

When I went to DomainTools and did a reverse IP search on the 11.32.47.11 IP address, it came back “unknown”. Finally, I also note: Thunderbird and Firefox (my recommended email and web browser software of choice) both tried to warn me several times that the email and the website were a scam. Ignoring all of this “Danger, Danger, Will Robinson!” and directing yourself straight into harm’s way is possible, but much less likely with these than it is with other software.

Introducing the PHISHY: Arborlaw’s new annual award for phishing and other email scams
Is there an annual award for phishing campaigns? I couldn’t find one, so I’m announcing the Arborlaw PHISHY™ Award. You can document your submissions for the Best Phishing Attempt of 2008 in a comment here: Arborlaw 2008 PHISHY™ Awards — Submissions Page.

Document your award submissions with links to relevant materials in the comment section below (Comments on pages rather than blog posts not working in WordPress 2.5 — sorry!).

Submissions for the 2008 Arborlaw PHISHY™ Award will close on December 31, 2008.

The ABA Journal is reporting another development in attorney-client privilege concerns with the booming legal outsourcing market. Here are the questions:

Does the monitoring of cross-border communications by the United States government under the Patriot Act and the Wiretapping Act and the lack of US constitutional protection in foreign countries violate an attorney’s duty to keep client matters confidential?

Does outsourcing act as a waiver of the attorney-client privilege or otherwise permanently affect a client’s legal rights?

One law firm is concerned that the answer is ‘yes’ — and has sued the Bush administration for declaratory judgment and asked the District of Columbia and Maryland bars for ethics opinions on the matter. According to Newman McIntosh & Hennessey, US government interception of attorney-client communications is highly probable because the National Security Agency (NSA) is free to spy on foreign companies. The Newman firm filed the complaint and ethics opinion requests seeking guidance on whether outsourcing of legal services compromises constitutional rights — and wants the court to order law firms to disclose their use of outsourcing and foreign legal support to clients, and to order the US government to establish protocols to shield attorney-client information from US government surveillance.

The complaint and legal inquiry arose out of a solicitation to the Newman firm by Acumen Legal Services (India) Pvt., Ltd./Acumen Solutions, LLC (TX) to provide the law firm with outsourced litigation support. Hennessey, a named partner for the firm, is concerned that information from his personal injury and medical malpractice practice could fall into the hands of competitors who employ outsourced services, through the electronic discovery process. According to Hennessey:

It’s not paranoia. It’s just fact . . . . [N]ow that we’re outsourcing services, we have given no consideration to the ongoing practice of the government harvesting information out there.

Hennessey openly wonders whether explicit client consent should be required before any data is sent abroad.

Legal outsourcing has grown dramatically in the last decade as bandwidth has improved to easily handle large amounts of imaged data, facilitating remote document scanning and low-cost document review, primarily in India.

Here’s why this is a particularly interesting story to watch: A. large law firms are now relying heavily on the practice of outsourcing their legal document imaging and legal document review work to maintain their profit margins. B. The regulation of attorneys is almost entirely a matter of state law. I’m not aware of any federal controls over the attorney-client relationship or attorney-client privilege (except with regard to the recent encroachment on attorney-client communications in the representation of enemy combatants in connection with Guantanamo and Bush administration military tribunals).

The case has been assigned to District Judge Colleen Kollar-Kotelly (chief judge of the Foreign Intelligence Surveillance Court - although this is apparently not a FISA issue).

Tip of the hat to the Blog of Legal Times for breaking this story.

Loved this New York Times illustration from the book review of Bill Bishop’s The Big Sort, which I found over on Richard Florida’s blog, The Creativity Exchange.

Nice reference to the Crustacean Period, and a strong suggestion that here in Michigan we have to evolve our economy and the way we do business, lest we be annexed by Downwardly Mobilovia.

The book explores the nuances in “community” and “civil society” and how these connect to economic activity and regional heath. Bishop’s point: traditional civil society is still alive in many economically troubled cities and regions like Birmingham, Ala, Cincinnati and Grand Rapids, MI (ranking high in volunteerism, voting and churchgoing). A new civil society has arisen among the creative class in places like Seattle, New York City, Boston (and Ann Arbor) — where bike trails, clubs, museums and broad acceptance of same-sex couples flourish and bring people together in a cohesive community. The most community-cohesive places in America can be either the most economically stagnant parts of the country or the most vibrant. According to Bishop, we are sorting ourselves recursively into more and more cohesive communities based on our lifestyles and views, and this has huge consequences economically, and for politics (including the upcoming presidential election). Here’s the Amazon link for the book — The Big Sort is finally going to be on my nightstand this week.

Here’s a followup to “Trade Secret Claims No Longer Protecting Source Code from Discovery — So How’s Your Code?”:

WSJ’s Tech Blog recently published a profile of the ‘typical’ tech entrepreneur, based on a survey by the Kauffman Foundation. Here are the typical characteristics:

• founded their $1,000,000-plus company, on average, at 39 years of age
• more than 90% have completed a college degree
• four times as likely than the general public to have attended an Ivy-League university
• spending an average of 16.4 years in employment, prior to founding their startup company
• only 37% have computer science or engineering degrees, and 3% have liberal arts degrees

The entrepreneurs surveyed were executives of companies started between 1995 and 2005 heading up companies with revenues of at least $1 million. http://tinyurl.com/4bzdld (Wall Street Journal Online — subscription required).

Interesting to me: no mention of the gender breakdown. While the Bill Gates stereotype of the ‘20-something college dropout who strikes cyber gold in his garage’ is apparently dead-wrong, I’d be interested to know whether the stereotype of the relative scarcity of women entrepreneurs is dead-right.

As I reported here, the Michigan film and entertainment industry incentives legislation was fast-tracked and signed by Governor Granholm today (April 8, 2008). Companies can receive incentives such as a 40% tax break and assistance from the state with locations and the use of state resources, in qualifying film and entertainment projects.  Here are the descriptions of the main incentives from the Michigan Film Office:

• 40% cash rebate across the board on qualifying Michigan expeditures, with a minimum required spending threshold of $50,000.
• Michigan will add an extra 2% if the qualifying project is filmed in one of the  103 Core Communities in Michigan.
• Project labor and crew makeup: 40%-42% Michigan residents, 30% Michigan non-residents
• The law includes a workforce development tax credit for hiring and training current Michigan-based crew to acquire new professional skills or attain a higher professional level.
• The law includes a low interest loan program and an infrastructure tax credit program.
• The only salary cap will be a maximum of $2 million salary per employee.
• There is no sunset on the incentives law.

Here are links to the texts of the new law:

Michigan Public Acts