Saturday, December 19, 2009

How rude. Fortunately, I can make this a class project next term.

DECAF: “Game Over”

December 18, 2009 by Dissent Filed under Other, Surveillance

Earlier this week, this site linked to a news report on DECAF, a counter-COFEE application. Now it appears that DECAF was a hoax. The site now reads:

We want to thank every media outlet, financial supporter, security expert, and forensic investigator that showed us support.

As you probably noticed, your copy of DECAF no longer works. We have disabled every copy of DECAF. [Project step one, turn it back on. Bob] We hope that as you realize this was a stunt to raise awareness for security and the need for better forensic tools that you would reconsider cutting corners on corporate security. Also, governments should not rely on a tool to automate the process of forensics but rather invest in the education of investigators and forensic tool experts. If we were able to assist every government agency in their computer crime investigations, we would. The problem is DECAF is just two people. As a security community at large, we need to band together and start relieving some of the burden off our government by giving back.

The remainder of the message seems to be pretty much Christianity-oriented.

Thanks to Richard Forno of for making me aware of this.

Interesting. I suspect we won't see a similar law in the US. Too many companies believe that secrecy is better for business. (They don't really believe patents and copyright protect them.)

Mandatory Use of Open Standards In Hungary

Posted by ScuttleMonkey on Friday December 18, @06:20PM from the you'll-be-open-and-like-it dept.

qpeter writes

"Hungarian Parliament has made the use of open standards mandatory by law in the intercommunication between public administration offices, public utility companies, citizens and voluntarily joining private companies, conducted via the central governmental system. The Open Standards Alliance initiating the amendment aims to promote the spread of monopoly-free markets [I can hear the alarm bells going off in corporate America! Bob] that foster the development of interchangeable and interoperable products generated by open standards, and, consequently, broad competition markets, regardless of whether the IT systems of interconnecting organizations and individuals use open or closed source software. In the near future, in spite of EU tendencies the Alliance seeks to make its approach – interoperability based on publicly defined open standards – the EU norm under the Hungarian presidency of the European Union in 2011. To that end, it will promote public collaboration – possibly between every interested party, civil and political organization in the European Union. What do you think: what would be the best way to cooperate?"

No doubt they expect to lure traveling executives and professionals into range of their gourmet burgers. Quite a turnaround. Instead of shooing idlers out to make room for paying customers, they are actually listening to their customers and making the restaurant customer-friendly! Way to go, Ronald!

US McDonald's Wi-Fi Going Free In January

Posted by kdawson on Friday December 18, @12:23PM from the fries-with-that dept.

Knowzy writes

"After five years behind a paywall, McDonalds plans to stop charging for its Wi-Fi in mid-January in the US. According to the Dallas Morning News, you aren't even required to make a purchase — 'free is free,' a spokesman said. It's also been widely reported that they won't impose time limits on your surfing. With around 20,000 free hotspots between McDonald's and Starbucks (who went free[ish] earlier this year), anyone still charging for Wi-Fi is going to look foolish, if not downright greedy."

These are pretty old-school, but I can see my website students using them for page backgrounds...

Two Sites To Instantly Convert Your Images To Text

By Simon Slangen on Dec. 18th, 2009

Photo2Text Photo2Text quickly converts any picture to ASCII art.

TEXT-IMAGE The next site does more than just convert images to text, it also offers three wholly different varieties; HTML, ASCII and Matrix.

Friday, December 18, 2009

“Hello. We're an academic institution, so we have a checklist of things you are not supposed to do when handling Personally Identifiable Information. Watch, as we violate every rule!”

Hacker hits NC community college system

December 17, 2009 by admin Filed under Breach Incidents, Education Sector, Hack, Of Note, U.S.

Kristin Collins reports:

Patrons of the state’s community colleges may have had their drivers license and Social Security numbers stolen by a hacker.

College officials announced late today that 51,000 library users at 25 campuses, including Wake Tech and Johnston County, were the victims of a security breach in August.

They said the libraries collect drivers license and Social Security numbers to help identify computer users. The information is stored on a central server in Raleigh. [AKA: “Hacker target.” Why is this information still online? Bob]

The colleges are in the process of notifying all users whose numbers were on the server when it was accessed by a hacker earlier this year.

However, they said their investigation suggests that the hacker did not access the information.

Read more on News&Observer.

The North Carolina Community Colleges System web site has a notification of the breach (pdf), but only if you click on the news link from the home page. Somehow, with all the good news that they managed to post to the home page, they did not post the security breach as news where people might see and find it right away. The notice says, in part:

On Sunday, August 23, 2009, a computer hacker accessed the library patron information on the computer server, housed in the community college System Office in Raleigh, via the Internet by decoding a user password. [AKA: “Guessing” Bob] The breach was discovered [Good for them! Bob] on Monday, August 24 during a routine security review and was reported to the state’s Information Technology Service (ITS). The System Office’s Information Services division immediately began an investigation to trace the activity of the attacker and the extent of the breach.

Forty-six community colleges that participate in the Community College Libraries in North Carolina consortium (CCLINC) maintain information on more than 270,000 library users on this server. The investigation revealed that 12,400 driver’s license numbers, originally collected by 18 colleges to help identify library users, were stored on the server.


The ongoing review revealed on October 19, 2009, that Social Security numbers of 38,500 library patrons were also stored on the breached server.


“Finding the Social Security numbers added another layer onto an already complex investigation,” said Dr. Saundra Williams, Senior Vice President of Technology and Workforce Development in the System Office. “We went from 12,400 library users to nearly 51,000 so the scope of our review was greatly increased. We felt it was necessary to be extremely cautious each step of the way to prevent future breaches and to ensure that the information was dealt with appropriately.”

For all their explanation, it still took them over two months to realize that they had SSN on a breached server. In my opinion, that’s not satisfactory. Nor, by today’s standards, is it good to take four months to reveal a breach. I hope that they’re right and that the data weren’t accessed, but if the data had been accessed, the delays experienced in notifying people could make a difference.

Elsewhere, Jon Ostendorff reports that an internal memo obtained by the Citizen-Times said, in part:

“At this time, it appears that the compromise was limited to the operating system and the installation of ‘chat’ software,” according to the memo from system Senior Vice President Saundra Williams. “There is no evidence that any data was accessed. The data is stored in an obscure database [I know of no technical basis for such a statement. Bob] which the unauthorized user would have to know the structure of the database [or spend several minutes looking at it. Bob] to piece the information together to match the person’s name with other personally identifiable information.”

Casual control of laptops is my guess. “Need training? Just grab a laptop – no need to consider what might be on it.” (Or why this information would be on a laptop in the first place!)

VA: Laptop containing personal information about MWR customers stolen (update 1)

December 17, 2009 by admin Filed under Breach Incidents, Government Sector, Of Note, Theft, U.S.

FMWRC Public Affairs posted the following on

A laptop computer containing names and personally identifiable information for slightly more than 42,000 Fort Belvoir Morale, Welfare and Recreation patrons was stolen from a Family and Morale, Welfare and Recreation Command employee Nov. 28.

The Family and MWR Command was made aware of the theft Dec. 1, and began assessing the extent of the security breach and preparing to notify affected customers. Letters were sent this week to all affected patrons explaining the nature of the breach.


Anyone attempting access to the data on the computer would have to bypass three layers of security access and encryption passwords.


The Family and MWR Command operates numerous facilities on Fort Belvoir, including childcare centers, bowling centers, restaurants, outdoor recreation facilities, and golf courses. Soldiers, family members, Department of Defense employees and other authorized MWR patrons who used an MWR facility on Fort Belvoir since 2005 may be included in the data on the laptop.

Update: CNN’s Samantha Hayes provides some additional details:

The security breach happened when the rental apartment of an employee with the Morale, Welfare, and Recreation Academy was burglarized in Clermont, Florida, officials said. The theft was reported to local police November 28, but the military was not notified until the employee returned to work three days later. [The employee may not have known what was on the laptop Bob]

Military officials say the employee was using the laptop for remote training courses, and it has not been determined whether any protocol was breached.


CNN obtained the notification letter sent, almost two weeks later, to those affected. It says, in part, that the alleged compromised information “includes your name, Social Security number, home address, date of birth, encrypted credit card information, personal e-mail address, personal telephone numbers, and family member information.”

Thanks to the good folks over at ITRC for alerting me to the CNN coverage.

Bigger than I thought...

(update) RockYou admits security snafu exposed email login details

December 18, 2009 by admin Filed under Business Sector, Hack

John Leyden reports:

Social media application developer RockYou has vowed to improve its security and apply encryption following a breach that exposed 32 million user login credentials to hackers.

Sensitive login credentials – stored in plain text – were left open to attack as a result of an SQL injection vulnerability in RockYou’s website. In a statement, RockYou said the exposed password credentials applied to widgets it develops and potentially exposed user password and email addresses. The developer said user credentials about RockYou applications on partner sites – including Facebook, MySpace, and Orkut – was not exposed by the admitted breach.

Read more on The Register.

There goes 10% of my bonus!

Heartland pays Amex $3.6M over 2008 data breach

December 18, 2009 by admin Filed under Financial Sector, Hack

Robert McMillan reports:

Heartland Payment Systems will pay American Express $3.6 million to settle charges relating to the 2008 hacking of its payment system network.

This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year.


This settlement resolves “all intrusion-related issues between the two parties,” Heartland said in a statement Thursday. However, the company’s disputes with other brands such as Visa and MasterCard apparently remain unresolved. A company spokeswoman declined to comment further on the matter for this story.

Read more on Computerworld.

[From the article:

… Heartland was one of several companies that the hackers managed to break into using SQL injection attacks. [Have we seen “SQL injection” before? Bob]

In May, Heartland CEO Bob Carr said that his company had set aside $12.6 million to handle charges related to the hack. More than half of that money was to handle fines levied by MasterCard, he said.

The Privacy Policy is connected to the Terms of Use

The Terms of Use are changed at the Providers Whim

The Providers Whim results in Angry Customers

Now shake dem skeleton bones!

Eventually, these companies are going to notice that changing their customer Privacy or Security settings without notice is a bad thing. Eventually...

Privacy Groups Bring Facebook Complaints to FTC

December 17, 2009 by Dissent Filed under Featured Headlines, Internet

Robert McMillan reports:

Ten privacy and consumer groups, including the Electronic Privacy Information Center (EPIC), filed a complaint Thursday with the U.S.Federal Trade Commission, saying that Facebook’s newly revamped privacy settings are deceptive and unfair.

Facebook unveiled the new privacy settings last week, saying that they were giving users more granular control over their settings, but critics immediately jumped on the fact that Facebook’s new default settings push information that may previously have been semi-private onto the Internet and they now give users no way to block their friends’ Facebook applications from accessing personal data.

“Facebook is engaging in unfair and deceptive acts and practices,” that are “likely to cause substantial injury to consumers,” says the complaint, which was posted to EPIC’s Web site Thursday.

Read more on CIO.

Legislation initiated by the “We gotta do something” crowd (AKA: Knee-jerk legislation) rarely gets it right. Thank god for angry citizens!

After Berlusconi Attack, Italy Considers Web Censorship

Posted by timothy on Friday December 18, @06:27AM from the streisand-should-charge-a-consulting-fee dept.

An anonymous reader writes

"The Italian government has proposed introducing new restrictions on the Internet after a Facebook fan page for the man who allegedly attacked Prime Minister Silvio Berlusconi on Sunday drew almost 100,000 users in under 48 hours. However, the planned clampdown on Internet hate speech sparked a heated debate over censorship and freedom of expression, leading Interior Minister Roberto Maroni to execute a partial U-turn."

Probably not an example of true, government sponsored cyber war tactics, but something to consider. If Twitter can be a source of information, it can also be a source of dis-information.

Twitter hijacked by 'Iranian Cyber Army'

by Steven Musil December 17, 2009 10:40 PM PST

… Security has been a thorny issue for Twitter in the past. In January, a hacker hijacked CNN anchor Rick Sanchez's feed and proclaimed the journalist was "high on crack." Twitter users have also been the target of a password-stealing phishing scam. Disguising itself as a private message that led to a fake Twitter log-in screen, the scam was widespread enough for Twitter to put a warning message on all members' home pages alerting them of the issue.

Certainly, there is a contentious history between Twitter and Iran. In the wake of supposed results of that nation's presidential election in June, protesters in Iran used Twitter to skirt government filters to report events, express outrage, and get people out to opposition rallies. Twitter even rescheduled some planned downtime in order to stay accessible for Iranian users in the midst of political upheaval at the request of the U.S. Department of State.

Hoist on their own petard.

DRM Flub Prevented 3D Showings of Avatar In Germany

Posted by timothy on Thursday December 17, @02:31PM from the token-of-our-appreciation dept.

Fraggy_the_undead writes

"According to German IT news site, yesterday several 3D showings of Avatar couldn't take place (German; Google translation to English), because the movies were DRM protected such that there had to be a key per copy of the film, per film projector, and per movie server in the theater. The key supplier, by the name Deluxe, was apparently unable to provide a sufficient number of valid keys in time. Moviegoers were offered to get a refund or view an analogue 2D showing instead."

Diversity is as diversity does. F. Gump For my statistics students.

December 17, 2009

Media Mention: Social Networking, Race and Ethnicity Facebook releases first-ever demographic look at users "Illustrating the growing diversity of online users as the Internet matures, a study by Facebook researchers found that about 11 percent of the social network's approximately 100 million U.S. members were African-American, about 9 percent were Latino and 6 percent were Asian, according to a post on Facebook's blog Wednesday evening — a much higher share for blacks and Latinos than four years ago."

[From the article:

Facebook does not ask its more than 350 million worldwide members to disclose their race. But researchers at the Palo Alto-based social network used a Census Bureau database of the demographic characteristics of 150,000 American surnames to track the rapidly changing racial makeup of its U.S. members over the past four years. [In other words, this is a SWAG (Scientific Wild-Ass Guess) Bob]

Interesting. I wonder if Google thinks it necessary to create cheaper hardware to get more people using their search engine (and seeing more ads)?

Beyond 'Nexus One,' Google rumored to create netbook hardware

By Katie Marsal Published: 11:05 AM EST Thursday, December 17, 2009

As reports continue to state Google will sell a custom built phone very soon, a new rumor suggests the search company will also release its own branded netbook PC when Chrome OS debuts in late 2010.

If true, it would mean that Google and Apple are set to compete yet again, this time in the hardware and software PC business. The latest rumor is just more evidence of why Google CEO Eric Schmidt was forced to resign from the Apple Board of Directors in August, as the two companies face off with competing browsers, phones and, in the future, operating systems.

Finding start-ups (and other stuff)

CrunchBase Funding Digest: JAGTAG, OneWire, SimpleGeo, Millennial Media

by Daniel Levine on December 17, 2009

Everyday I troll SEC Form D Filings to discover new startups, fundings and investments. I put everything I find into CrunchBase.

(Related) What if McDonald's sold wine?

Trefis Widgetizes Its Customizable Stock Price Charts

by Jason Kincaid on December 17, 2009

Last month we wrote about Trefis, a new financial site that lets you tweak your stock predictions by adjusting variables in a company’s business model, depending on how you think different segments of the company will perform. These predictions are plotted out on attractive interactive charts, but until now those charts were all housed on the site’s homepage. Today, Trefis is launching support for widgets, giving bloggers and financial experts the chance to share their adjusted stock predictions with the world.

Free is good. - Looking Up Both Free & Paid eBooks

Research tool Because different search algorithms yield different results.

Searchzooka: Conduct Advanced Search On Multiple Search Engines

By Karl Gechlik on Dec. 12th, 2009

… makes it easy to do the same advanced search on multiple search engines (Google, Yahoo, Bing, Ask, Digg, Delicious and Technorati.).

What can you do with 26 gigapixels? Click on some of the images below the picture and wait a few seconds after the zoom for a clean-up of the image, then zoom again.. Now think UAV or satellite.

Thursday, December 17, 2009

I'm starting my year-end round-up of year-end round-ups.

Some yearly round-ups on breaches

December 17, 2009 by admin Filed under Commentaries and Analyses

It’s that time of the year, and some firms and journalists have begun looking back at 2009. Here are some round-ups I’ve seen recently:

Perimeter E-Security Exposes Top Ten Biggest Security Breaches and Blunders of 2009
The Year Of The Mega Data Breach
2009: a year of incident, loss, malware and ultimately education
Ten Most Damaging Data Breaches of 2009
Top 10 Data Breaches in 2009 Expose 220 Million Records
The 2009 data breach hall of shame

If you know of others, please feel free to post links to them in the Comments box.

I’ll be compiling my own Top 10 list for 2009 sometime next week.

Cyber wars come in all sizes.

Are U.S. Drones Really Being Watched With a Simple “Satellite Internet Downloader?”

by John Biggs on December 17, 2009

Either the WSJ hasn’t taken their anti-crazy pills or there is something severely wrong with the military industrial complex. I’m betting on both.

The story says, essentially, that insurgents in Iraq are “taking control” of our pilotless drones with a $25 piece of software called SkyGrabber. By “take control” the WSJ means “download video feeds from” and by “software” I mean essentially a satellite network snooper.

Medical applications were an afterthought.

Cell phone activity helps predict spread of malaria

by Elizabeth Armstrong Moore December 16, 2009 2:04 PM PST

What a great idea! No one ever thought of this before. NOTE: Worth reading the comments!

UK Wants To Phase Out Checks By 2018

Posted by samzenpus on Thursday December 17, @01:37AM from the cash-or-credit dept.

The board of the UK Payments Council has set a date to phase out checks in a bid to encourage the advance of other forms of payment. They added, however, that the target of Oct. 2018 would only be realized if adequate alternatives are developed. "The goal is to ensure that by 2018 there is no scenario where customers, individuals or businesses, still need to use a cheque. The board will be especially concerned that the needs of elderly and vulnerable people are met," the Payments Council said in a statement.

Geeky stuff

VMware Workstation vs. VirtualBox vs. Parallels

Posted by timothy on Wednesday December 16, @03:43PM from the can't-you-be-content-with-the-actual-box? dept.

snydeq writes

"InfoWorld's Randall Kennedy takes an in-depth look at VMware Workstation 7, VirtualBox 3.1, and Parallels Desktop 4, three technologies at the heart of 'the biggest shake-up for desktop virtualization in years.' The shake-up, which sees Microsoft's once promising Virtual PC off in the Windows 7 XP Mode weeds, has put VirtualBox — among the best free open source software available for Windows — out front as a general-purpose VM, filling the void left by VMware's move to make Workstation more appealing to developers and admins. Meanwhile, Parallels finally offers a Desktop for Windows on par with its Mac product, as well as Workstation 4 Extreme, which delivers near native performance for graphics, disk, and network I/O. 'There's some genuine innovation going on, especially in the areas of hardware support and application compatibility,' Kennedy writes. 'All support 32- and 64-bit Windows and Linux hosts and guests, and all have added compelling new VM management capabilities, ranging from automated snapshots to live VM migration.'"

Hard to believe?

Report: The Most Active Online Are The Most Educated.

By Zee on December 16, 2009

What will cause the next round of mass hysteria? Global warming? The end of the Inca calendar? Happy meals?

10 Years After Y2K -- Stories From the IT Battlegrounds

Posted 12/16/2009 at 3:23:58pm by Michelle Delio

It was a fear fest of epic proportions. Magazine headlines predicted that the end of the world would shortly befall us. They told harrowing tales of feral computer systems going awry the minute the clock struck midnight on January 1st, 2000--planes would fall from the sky, power grids would fail, the global economy would crash, nuclear power plants would go into meltdown mode, lines of communication would be cut, and the contents of bank accounts would vanish.

[The only amusing thing was this Apple commercial:

Take that, Global Warming advocates! “Us New Yawkers knows that to increase revenue in hard times, youse cuts services like mad.”

December 16, 2009

New York M.T.A. Approves Big Service Cuts in Mass Transit

New York Times: "The Metropolitan Transportation Authority approved a punishing slate of service cuts on Wednesday that would amount to the most significant erosion of New York City’s transit system since its recovery from the ruinous days of the 1980s. The cuts represent some of the first concrete consequences of a fiscal crisis in New York State that until now had mostly been restricted to ominous words from politicians. The authority’s board unanimously approved the plan — which includes eliminating the W and Z subway lines, reducing service on dozens of bus routes, and phasing out free fares for students — to cope with a $400 million shortfall in state financing that emerged in the past two weeks."

For my Online and Hybrid classes: A how to guide. (Needs work, but it's a start.)

Take Online Classes

After all those wasted hours clicking around on Wikipedia and staring almost zombie-like at even your favorite, regular websites, perhaps it’s time to make the internet work for you.

Everyone from business schools to art schools is granting undergraduate and graduate degrees to online-only students. For those of you with discipline, the desire and an internet connection, here’s how you can make it happen.

Start collecting eBooks now (esp. the free ones) and worry about which device you want later.

Kobo International E-Book Store Launches: Why Amazon Should Be Afraid

By Charlie Sorrel December 16, 2009 10:52 am

There is little doubt that electronic books have gone mainstream. The question now is, in just which direction will the market go? It’s possible that the Kindle will do what Apple and the iPod did for music, essentially owning the market. Or things could split open, with many sellers competing on an open platform. Kobo is betting on the latter.

Kobo is a rebranded Shortcovers, which sells e-books that can be read on almost any device, from Macs and PCs to the iPhone, Blackberry, Android, Palm Pre and any e-reader that can work with EPUB-format books, such as the Barnes & Noble Nook or the Sony Reader. Notably, the Kindle is absent from the list.

Wednesday, December 16, 2009

Why do lawyers make the big bucks? Because they can reduce or eliminate liability!

BJ’s, Bank Not Liable for Credit Card Fraud

December 15, 2009 by admin Filed under Business Sector, Financial Sector, ID Theft, Of Note

CUMIS Insurance Society and the credit unions it insures have failed in their lawsuit against BJ’s Wholesale Club and Fifth Third Bank over a 2004 breach that affected 9.2 million cardholders.

The background of the case, as summarized in the court opinion:

In February, 2004, Visa and MasterCard determined that computer thieves had gained access to the computer systems on which BJ’s stored credit card transaction data at more than 150 stores, and that the breach had been ongoing since July, 2003. The breach provided the thieves access to the full magnetic stripe data from approximately 9.2 million cardholder accounts, allowing them access to cardholder names, account numbers, account expiration dates, and proprietary Visa and MasterCard security data. It was ultimately determined that the third-party transaction processing software used by BJ’s was permanently storing the magnetic stripe data in transaction logs. The agreements between BJ’s and Fifth Third contained a requirement that BJ’s comply with Visa and MasterCard’s regulations, including those prohibiting BJ’s from storing any magnetic stripe data after a transaction was completed; the agreements among Fifth Third and Visa and MasterCard required Fifth Third to ensure that its merchants complied with the regulations. BJ’s conceded that it was retaining the magnetic stripe data.

Visa and MasterCard notified all their member issuing banks that had issued any of the possibly compromised accounts. In response to this notification, the plaintiff credit unions closed all their potentially compromised accounts, without regard to whether fraudulent charges had been made on a particular account; advised cardholders to destroy their old plastic credit cards; and issued new account numbers and new plastic credit cards to all affected cardholders. Cumis paid the plaintiff credit unions millions of dollars for fraudulent transactions made using the compromised accounts; the plaintiff credit unions and Cumis then commenced this action.

The credit unions and their insurer, Cumis, argued that they were third-party beneficiaries of contracts between card brands and Fifth Third and between BJ’s Wholesale Club and Fifth Third. The court did not agree. Jeff Gorman reports that

The trial court sided with BJ’s, and the state high court affirmed, saying the contract was exclusively between BJ’s and Fifth Third.

The contract stated: “This agreement is for the benefit of, and may be enforced only by, (Fifth Third) and (BJ’s) … and is not for the benefit of, and may not be enforced by, any third party.”

The court also tossed fraud and negligence claims against BJ’s and Fifth Third Bank, saying they never misled the credit unions and Cumis about their compliance with Visa and MasterCard regulations. [Would a Certification of compliance with PCIDSS be considered “misleading” to the credit unions? Bob]

Related: Court Opinion (pdf)

Update: Jaikumar Vijayan pf Computerworld also covers this story.

Worth reading the article.

Document Details Help TJX Hacker Gave Prosecutors

December 15, 2009 by admin Filed under Breach Incidents

Kim Zetter reports:

Admitted TJX hacker Albert Gonzalez has identified two Russian accomplices who helped him hack into numerous companies and steal more than 130 million credit and debit card numbers.

Gonzalez told prosecutors that the hackers breached at least four card processing companies, as well as a series of foreign banks, a brokerage house and several retail store chains, according to a sentencing memo filed by his lawyer on Tuesday that was incorrectly redacted.

Read more on Threat Level.

[From the article:

By identifying intrusions that “had not yet been detected,” his lawyer wrote, Gonzalez helped the companies institute protective measures to secure their data and prevent future breaches.

Anyone can fall for a phisher's message.

UCSF doc falls for phish, exposes patient info

By Dissent, December 15, 2009 8:34 pm

Chris Rauber reports:

UC San Francisco said late Tuesday it has alerted 600 patients and others that an external hacker may have obtained “temporary access to emails containing their personal information” as a result of a late September phishing scam.

The breach occurred about three months ago, and was investigated in mid-October, but wasn’t disclosed to the public until Dec. 15. Corinna Kaarlela, UCSF’s news director, told the San Francisco Business Times late Tuesday that individuals whose data may have been compromised were notified between Oct. 21, when an in-depth investigation began, and Dec. 11, when it was completed.

UCSF said Tuesday that an unnamed faculty physician in the School of Medicine was victimized in late September by the alleged scam. The physician provided a user name and password in response to an email message fabricated by a hacker, that appeared as if it came from those responsible for upgrading security on UCSF internal computer servers.

Read more in the San Francisco Business Times.

If you don't actually understand a subject (in this case Privacy) you find yourself falling into these logic traps. I doubt they set out to encourage lying...

Facebook Suggests You Lie, Break Its Own Terms Of Service To Keep Your Privacy

by Jason Kincaid on December 15, 2009

Another first? How are numbers stored on a cell phone different from those stored in hand-written form?

OH Court: Cell phone searches require warrant

December 15, 2009 by Dissent Filed under Court, Surveillance

Stephen Majors of the Associated Press reports:

Police officers must obtain a search warrant before scouring the contents of a suspect’s cell phone unless their safety is in danger, a divided Ohio Supreme Court ruled Tuesday on an issue that appears never to have reached another state high court or the U.S. Supreme Court.

The Ohio high court ruled 5-4 in favor of Antwaun Smith, who was arrested on drug charges after he answered a cell phone call from a crack cocaine user acting as a police informant.

Read more in The Miami Herald.

Could a resolution like this one be translated back to the pre-Internet world? i.e. Would a “gift certificate” work as well as a “select, download, install” screen?

EU resolves Microsoft IE antitrust case

by Lance Whitney December 16, 2009 5:28 AM PST

… As part of the settlement, Windows PCs sold in the European Economic Area will now present users with a Choice Screen, allowing them to install alternative browsers beyond Internet Explorer.

The world is changing.,8599,1947790,00.html

Study: Texting Edging Out Cell-Phone Calls

By AP / HOPE YEN Tuesday, Dec. 15, 2009


Facebook Passes Aol In The U.S.

by Erick Schonfeld on December 15, 2009

Another resource for my Statistics students.

December 15, 2009

Census Bureau Releases 2010 Statistical Abstract Depicting the State of Our Nation

Texting More Than Doubles in the Last Year: "How r u? The way we communicate is rapidly evolving, as evidenced by the fact that the number of text messages sent on cell phones has more than doubled from 48 billion in December 2007 to 110 billion in December 2008, according to the U.S. Census Bureau’s Statistical Abstract of the United States: 2010. The Statistical Abstract, aka “Uncle Sam’s Almanac,” perennially the federal government’s best-selling reference book, has been published since 1878 — before automobiles, airplanes and motion pictures had even been invented. Contained in the 129th edition are more than 1,400 tables of social, political and economic facts which collectively describe the state of our nation and the world. Included are 53 new tables, covering topics such as worldwide space launch events this decade, the use of complementary and alternative medicine, the type of work flexibility provided to employees, employment status of veterans and road fatalities by country."

This is an interesting business model. Not a bad investment model either. NOTE: Would they have flagged Bernie Madoff as a genius?

kaChing Raises $7.5 Million To Turn Mutual Funds On Their Heads

by Jason Kincaid on December 15, 2009

… It invites top traders to publicly share all of their trades, revealing information that until now was only revealed to the likes of Ivy League institutions. Rachleff says the top traders benefit because they can accept many amateur investors as clients with very little extra work on their part. And everyone else benefits because they gain access to this data.

Here’s how it works: kaChing has gathered a dozen top investors, many of them professionals, which it has certified to be “Geniuses”. Anyone who comes to the site is free to look at the full trading history of these Geniuses, free of charge. If you like what you see, you can sign up for kaChing and create a brokerage account through its partner, Interactive Brokers (a well established and publically traded brokerage firm). Deposit some money (the minimum is $3,000) and you’re set. From then on, the site will automatically execute trades for you to exactly mirror the Genius you’ve signed up for.

Until we develop a complete eDoctor, this will have to do.

Dad Delivers Baby Using Wiki

Posted by samzenpus on Tuesday December 15, @04:29PM from the 9cm-edited dept.

sonamchauhan writes

"A Londoner helped his wife deliver their baby by Googling 'how to deliver a baby' on his mobile phone. From the article: 'Today proud Mr Smith said: "The midwife had checked Emma earlier in the day but contractions started up again at about 8pm so we called the midwife to come back. But then everything happened so quickly I realized Emma was going to give birth. I wasn't sure what I was going to do so I just looked up the instructions on the internet using my BlackBerry."'"

Not sure how many eBook users read my blog, but this looks interesting. - For Those Who Love eBooks

… In principle, it is a solution that makes for the management of eBooks. Using it you can take care of a wealth of aspects such as the downloading of new titles and the syncing of these titles to eBook reader devices. Moreover, the provided dashboard makes it possible for anybody to download news from the WWW and have them turned into an eBook.

Calibre is available both for Windows and Mac users. Linux is fully supported, too. All you have to do to set going is to download the app (for free) and install it.

This could be real interesting if I can have one for each class I teach and share it with my students. Even just having a personal copy I can put on the overhead would be useful. - Organizing Information Visually

The site works as an (unlimited) space where you can situate just anything you come across such as YouTube videos and your favorite sites along with assorted links.

Creating an account can be done in several ways – you can do so by using your Yahoo! Credentials, or you can sign in using your OpenID. Once you are inside, you will receive a basic amount of Spaaze Points that you can use to start playing around with the website.

This site might work for you or not. Since it can be tried out for free during the provided beta phase, now it would be a good time to find it out.

Geeks are always looking for Easter Eggs, but Fortune Cookies?

Tuesday, December 15, 2009

Being cool is dangerous...

RockYou Hack: From Bad To Worse

by Nik Cubrilovic on December 14, 2009

Earlier today news spread that social application site RockYou had suffered a data breached that resulted in the exposure of over 32 Million user accounts. To compound the severity of the security breach, it was found that RockYou are storing all user account data in plain text in their database, exposing all that information to attackers. RockYou have yet to inform users of the breach, and their blog is eerily silent – but the details of the security breach are going from bad to worse.

The first issue is that RockYou attempted to downplay the entire incident, first by covering it up by not notifying users and then downplaying it in an official statement as being an issue that only affected ‘older’ applications. The hacker responsible for the initial breach published a small portion of the dataset he had retrieved [A “bragging rights” rather than an “Identity Theft” hack? Bob] and was able to show that not only did he have access to their entire database, but also passwords were stored in the clear. This matter now appears worse than originally suspected as the dataset also contains a table where RockYou have stored user credentials for social networks and other partner sites.

(Related) Now you have a checklist for security violations? “Oh look, they failed to do this, and this, and this...”

Guidelines Aimed at Thwarting ID Theft, Security Breaches Unveiled

December 14, 2009 by Dissent Filed under Breaches

Responding to concerns about identity theft and security breaches linked to portable devices, the AICPA [American Institute of Certified Public Accountants] and the Canadian Institute of Chartered Accountants have expanded Generally Accepted Privacy Principles to include protocols for securing personal information.

The AICPA/CICA Generally Accepted Privacy Principles are recognized by the IRS and other organizations. The privacy framework offers guidance and best practices for securing portable devices, breach management and ensuring continued effectiveness of privacy controls. The guidance also covers disposal and destruction of personal information. [...]

Free copies of the principles, along with additional privacy resources, are available at and

Read more in the Journal of Accountancy. Hat-tip, Corporate Reporting to Stakeholders.

Civil disobedience? Hacktivism? Or just users calling AT&T to task?

Operation Chokehold will blow up AT&T on Friday

by John Biggs on December 15, 2009

Fake Steve is rustling some feathers this week with his Operation Chokehold, a planned bit of corporate disobedience against AT&T. He’s telling iPhone users to go nuts with the data on Friday, December 18, just to show AT&T’s CEO De La Vega, the man who suggested education would encourage users not to use his network so much, what uneducated users really can do to his preciously twee airwaves.

This has been wild since it started, but I at least thought they had a case...

The Trial of Terry Childs Begins

Posted by kdawson on Tuesday December 15, @08:07AM from the there-but-for-luck-and-precedent-go-we-all dept.

snydeq writes

"Opening arguments were heard today in the trial against IT admin Terry Childs, who was arrested 18 months ago for refusing to hand over passwords to the San Francisco city network. InfoWorld's Paul Venezia, who has been following the case from the start, speculates that the 18-month wait is due to the fact that 'the DA has done no homework on the technical issues in play here and is instead more than willing to use the Frankenstein offense: It's different, so it must be killed.' On the other hand, the city — which has held Childs on $5 million bail despite having already dropped three of the four charges against him — may have finally figured out 'just how ridiculous the whole scenario is but is too far down the line to pull back the reins and is continuing with the prosecution just to save face,' Venezia writes. The trial is expected to last until mid-March. San Francisco Mayor Gavin Newsom, to whom Childs eventually gave the city's network passwords, will be included in the roster of those who will testify in the case — one that could put all admins in danger should Childs be found guilty of tampering."

Local But does that immunize the tax preparer?

Colo. court: immigrants tax records are private

December 14, 2009 by Dissent Filed under Breaches, Court, Featured Headlines, U.S.

Ivan Moreno of the Associated Press reports:

The Colorado Supreme Court ruled Monday that authorities violated the constitutional and privacy rights of suspected illegal immigrants when they used tax returns to try and build hundreds of identity theft cases against them.

The ruling affirmed a decision by a Weld County district judge who suppressed evidence against one of the defendants. In that case, investigators raided a tax business that catered to Latinos in Greeley, an agricultural city on the northern plains of Colorado with a heavily Hispanic population.

Read more in the San Francisco Examiner. Previous coverage on this case linked from here and here.

Maybe those privacy policies don't always apply?

Online Commenter Did Not Waive Right to Anonymity by Agreeing to News Website’s Privacy Policy

December 14, 2009 by Dissent Filed under Court, Featured Headlines, Internet

Eric Goldman’s Technology & Marketing Law Blog discusses a recent court opinion concerning unmasking anonymous online commenters that I hadn’t heard about:

Sedersten v. Taylor, 2009 U.S. Dist LEXIS 114525 (Case No. 09-3031-CV-S-GAF) (W.D. Mo. Dec. 9. 2009).

A Missouri district judge rejected a plaintiff’s attempt to unmask an online commenter based in part on the argument that language in the website’s privacy policy resulted in a waiver of anonymity.


Plaintiff argued that “bornandraisedhere” waived any right to anonymity by agreeing to the terms of the News-Leader’s privacy policy, which provided that the News-Leader:

reserve[s] the right to use, and to disclose to third parties, all of the information collected from and about [users] while [users use] the Site in any way and for any purpose . . . .

Read more on Technology & Marketing Law Blog “anonymity” by kitakitts, Flickr, used under Creative Commons License.

Zillman gathers automatically (using his own software) but there are gems in these reports.

December 14, 2009

New on - Deep Web Research 2010

Deep Web Research 2010: Marcus P. Zillman is a an internet search expert whose extensive knowledge of how to leverage the "invisible" or "deep" web is exemplified in this guide. The Deep Web covers somewhere in the vicinity of 1 trillion pages of information located through the world wide web in various files and formats. Current search engines are able to locate around 200 billion pages. Marcus identifies sources to mitigate the odds on behalf of serious searchers.

For my statistics students. Earthquakes cause tweets! (Post hoc, ergo propter hoc)

Freaked-Out Tweets After Earthquakes Help Scientists

By Alexis Madrigal December 14, 2009 1:30 pm

For my thumb drive using students (all my students)

Encrypt Your Thumb Drive

Now this could be useful!

Use Google for Text-to-Speech Translations in the Browser

By Scott Gilbertson December 14, 2009

Make those 360 degree vistas.

How To Make Amazing Panoramas In Windows For Free

Humor Dilbert explains “tech support by intimidation.”

Humor Don McMillan has expanded his video diatribe against PowerPoint. I'll show this every time I teach presentations. (Apparently, there are shorter versions too)

Monday, December 14, 2009

Is this a subtle hint that some government sponsored hacking is going on? For example, when negotiating with the Swiss to release information to the tax authorities isn't moving fast enough...

HSBC Heist Includes Data on 130,000 Clients Worldwide, JDD Says

December 13, 2009 by admin Filed under Breach Incidents, Financial Sector, Insider

Le Journal du Dimanche (JDD) reports that the data stolen from HSBC in Geneva includes information on 130,000 clients from around the world, according to a story in Bloomberg News that cites the paper and a French prosecutor, Eric de Montgolfier.

A former employee at the Swiss bank leaked the information to de Montgolfier, who is probing possible money laundering, the newspaper reported, without identifying the worker. The Finance Ministry in Paris also received some of the data that was stolen and is using it to investigate the 3,000 or so French taxpayers on the list, JDD said.

“Hey, is how legal system vorks in Russia!.”

ID Thief Tries To Get Witnesses Whacked

Posted by kdawson on Monday December 14, @05:13AM from the palpable-escalation dept.

adeelarshad82 writes

"Pavel Valkovich of Sherman Oaks, CA has pleaded guilty to solicitation of murder, admitting that he attempted to hire hit-men to kill witnesses working with Federal authorities in their investigation of Valkovich's ID theft activities and subsequent crimes. According to the Justice Department: '...Valkovich and others had stolen personal identifying information and used that information to transfer funds from victims' bank accounts to PayPal accounts.'"

A reminder that governments are no better at securing data than anyone else...

UK: Previous cases of missing data

December 14, 2009 by admin Filed under Government Sector, Non-U.S.

In the wake of another breach involving the Ministry of Defence (not listed on this site as it is not clear whether it involved personally identifiable information), the BBC has published a recap of other breaches.

No wonder I was confused. The answer is yes AND no.

Orin Kerr: Does the Fourth Amendment Prohibit Warrantless GPS Surveillance?

December 14, 2009 by Dissent Filed under Court, Featured Headlines, Surveillance, U.S.

Orin Kerr provides his analysis and views on the issue over on The Volokh Conspiracy.

Does the Fourth Amendment require a warrant to conduct surveillance of a government-installed GPS device, such as a device installed on a suspect’s car to monitor the car’s location? This issue comes up occasionally, and the DC Circuit has a case pending on the issue. I don’t think I have ever blogged about it, so I want to offer my thoughts. This post will explain why I think the doctrine here was settled by a pair of Supreme court cases from the 1980s, and why those cases draw a pretty reasonable Fourth Amendment line.

In the 1980s, the Supreme Court decided two cases on whether the Fourth Amendment requires a warrant for the government to monitor a suspect’s location using a government-installed locating device. Both cases involved beepers, defined as “a radio transmitter, usually battery-operated, which emits periodic signals that can be picked up by a radio receiver.” The combined holding of United States v. Knotts, 460 U.S. 276 (1983), and United States v. Karo, 468 U.S. 705 (1984), was that the constitutionality of warrantless beeper surveillance depends on what information the beeper reveals. Beeper surveillance that reveals the location of the beeper in a public place does not require a warrant (Knotts); on the other hand, beeper surveillance that reveals the location of the beeper inside a home does require a warrant (Karo).

Read more on The Volokh Conspiracy.

Interesting that so many governments are working on open source projects. Perhaps that's just an off-shoot of their cyber war R&D, but I suspect not.

French Military Contributes To Thunderbird 3

Posted by kdawson on Sunday December 13, @09:28PM from the mais-oui-l'oiseau dept.

fredboboss sends news about Mozilla's email client Thunderbird 3, whose release we noted last week.

"Thunderbird 3 contains code from the French military, which decided the open source product was more secure than Microsoft's rival Outlook. The French government is beginning to move to other open source software, including Linux instead of Windows and OpenOffice instead of Microsoft Office. Thunderbird 3 used some of the code from TrustedBird, a generalized and co-branded version of Thunderbird with security extensions built by the French military."

The next device to ban while driving? Then the radio and maybe the horn...

Are Sat-Nav Systems Becoming Information Overload?

Posted by Soulskill on Sunday December 13, @12:23PM from the pothole-under-right-wheel-in-forty-two-centimeters dept.

curtS writes

"The Economist's tech editor reviews the ever-more-detailed assistance of mobile GPS devices, and wonders if the attention-sucking visual complexity isn't more trouble than it's worth. He contrasts the simplicity of London's Underground map (not directionally accurate but visually easy to understand) and his own habit of dimming the display and using the audio commands for guidance."

What a great way to build a “Bob's best lectures” collection on USB for stocking stuffers!

How To Make A Portable Version Of Winamp For Your USB Drive

By Simon Slangen on Dec. 13th, 2009

A lot of people use USB MP3 players these days, but why not the other way around? Using a standard USB stick (often way cheaper), we can have our music on the go as well.

… By loading the Winamp portable media playing software on a USB stick, as well as your music library, you can listen to your tunes everywhere, as if you were at home.

Hackers can come up with cute names too. (For every tool, an anti-tool.)

COFEE loses some of its impact thanks to DECAF

by Steve Ragan - Dec 14 2009, 12:59

The Computer Online Forensic Evidence Extractor (COFEE) is a tool created by Microsoft to help law enforcement with forensic investigations.

In November, COFEE ended up leaking to the web, and one of the sites hosting it was issued a takedown notice. In the end the notice was pointless, as Wikileaks is now hosting downloads of COFEE, so if you want a copy head here. It is a useful tool, but in our opinion BackTrack is the tool of choice.

Thanks to a new tool, as first mentioned by Dan Goodin over at The Register, there is a bit of protection for those worried about the use of COFEE.

The tool is called DECAF, and according to the site hosting it, DECAF is a “counter intelligence tool specifically created around the obstruction of the well known Microsoft product COFEE used by law enforcement around the world.”

“DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.”

Also, in a moments notice “almost every piece of hardware can be disabled and pre-defined files can be deleted in the background,” the site explains. There is even an option that allows users to test their DECAF settings by simulating the presence of COFEE on the system.

The team behind the tool explain that future versions will contain remote functionality, as well as email and text messaging alerts.

You can download DECAF here.

Something to get my math students' attention. Perhaps a final exam question?

How to use math to park a car

by Chris Matyszczyk December 13, 2009 11:00 AM PST

… This formula solves that problem."

Indeed it does. Save for one small issue. You see, a U.K. government survey showed that almost 7 million Brits have math skills that are below the level of an average 11-year-old.

Many places in the US might have larger parking areas, but US math skills are not exactly proportionate. The National Assessment of Educational Progress suggests that only 4 out of 10 fourth- and eighth-graders are, well, any good at math at all. And only 42 percent of high school graduates left prepared for college-level math. [Highly optimistic. Bob]

[The formula is here: