Saturday, January 30, 2010

The theme of today's articles seem to be “Hacking is a growth industry” Perhaps I'll be allowed to be a bit more “adventurous” in my Security classes?

Hacking to increase revenue. It's not reverse engineering. It's alternative engineering. No problem with patents or copyrights.

Google Deducing Wireless Location Data

Posted by timothy on Friday January 29, @11:21PM from the peekaboo-the-van-sees-you dept.

bizwriter writes

"When it comes to knowing where wireless users are, the carriers have had a lock on the data. But a patent application shows that Google is trying to deduce the information based on packet headers and estimated transmission rates. This would let it walk right around carriers and become another source of location data to advertisers."

(Related) One must weigh this reward against the price + percentage offered by those on the “Dark Side”

Google To Pay $500 For Bugs Found In Chromium

Posted by ScuttleMonkey on Friday January 29, @03:41PM from the rewards-for-being-1337 dept.

Trailrunner7 writes to mention that a new program from Google could pay security researchers $500 for every security bug found in Chromium. Of course if you find a particularly clever bug you could be eligible for a $1337 reward.

"Today, we are introducing an experimental new incentive for external researchers to participate. We will be rewarding select interesting and original vulnerabilities reported to us by the security research community. For existing contributors to Chromium security — who would likely continue to contribute regardless — this may be seen as a token of our appreciation. In addition, we are hoping that the introduction of this program will encourage new individuals to participate in Chromium security. The more people involved in scrutinizing Chromium's code and behavior, the more secure our millions of users will be. Such a concept is not new; we'd like to give serious kudos to the folks at Mozilla for their long-running and successful vulnerability reward program."

(Related) This is a big reason why hacker succeed and a strong recommendation for open source software. It does not compromise you “brand” to share Best Practices.

Benevolent hackers poke holes in e-banking

29 January 2010 by Jim Giles

ONLINE banking fraud doesn't just affect the naive. Last year, Robert Mueller, a director at the US Federal Bureau of Investigation, admitted he'd come within a mouse-click of being a victim himself. Now the extent of the problem has been brought into sharp relief, with computer scientists warning that banking culture is increasing the likelihood that customers are using vulnerable systems.

… Banking websites and payment systems are relentlessly targeted by criminals, though, so continuous improvements in security are needed to prevent fraud. But as was revealed at this week's Financial Cryptography and Data Security conference in Tenerife in the Canary Islands, some of the best-known security systems can still be compromised relatively easily.

All too often, banks' security systems are developed in secret, so their flaws are only identified when they are deployed, says Steven Murdoch, a security researcher at the University of Cambridge.

Weaknesses in three widely used financial security systems highlight the extent of the problem.


Bank of America Web site goes down Friday

by Elinor Mills January 29, 2010 1:25 PM PST

(Related) I should probably pay more attention to the market, but have no need to BUY accounts...

A hacked Twitter account may cost as much as $1,000

January 29, 2010 by admin Filed under Uncategorized

Researchers at Kaspersky Lab report that hacked accounts of Twitter and other services are being sold online for hundreds of dollars.

Big revenues made on stolen data make hacking programs and viruses very popular among cyber criminals. According to Kaspersky Researcher Dmitry Bestuzhev there were Gmail accounts for sale on Russian hacker forums, (asking price 2,500 roubles, or $82) RapidShare accounts going for $5 per month, as well as Skype, instant messaging and Facebook credentials on the underground forums.

Read more on eCommerce Journal.

[From the article:

Compare that to an MSN account, which Bestuzhev has seen priced at €1 ($1.40).

Cyber War: Who is going to fight it? (Also a “hacker story”)

January 29, 2010

Navy Establishes U.S. Fleet Cyber Command at Fort Meade, MD

OPNAV NOTICE 5400, January 11, 2010: "Action will establish U. S. Fleet Cyber Command as an echelon II command to serve as the Navy Component Commander to United States Cyber Command upon its establishment. Interim reporting will be to United States Strategic Command. Command will provide for operational employment of the Navy's cyber, network operations, information operations, cryptologic and space forces, and serve as the Navy's Service Cryptologic Component Commander to the National Security Agency. U.S. Tenth Fleet. will be re-commissioned to control operations supporting U. S. Fleet Cyber Command.

  • Mission: To direct Navy cyberspace operations globally to deter and defeat aggression and to ensure freedom of action achieve military objectives in and through cyberspace; to organize and direct Navy cryptologic operations worldwide and support information operations (IO) and space planning and operations, as directed; to execute cyber missions as directed by USCYBERCOM; to direct, operate, maintain, secure and defend the Navy's portion of the Global Information Grid (GIG); to deliver integrated cyber, 10, cryptologic and space capabilities; to deliver global Navy cyber network common operational picture; and to develop, coordinate and assess Navy cyber operational requirements."


UK: Home Office spawns new unit to expand internet surveillance

January 30, 2010 by Dissent Filed under Internet, Non-U.S., Surveillance

Chris Williams reports:

The Home Office has created a new unit to oversee a massive increase in surveillance of the internet, The Register has learned, quashing suggestions the plans are on hold until after the election.

The new Communications Capabilities Directorate (CCD) has been created as a structure to implement the £2bn Interception Modernisation Programme (IMP), sources said.

The CCD is staffed by the same officials who have have been working on IMP since 2007, but it establishes the project on a more formal basis in the Home Office. It is not yet included on the Home Office’s list of directorates.

Read more in The Register.


First, this may not be a breach. Second, politicians are immune from the laws us second class citizens must obey. I'm not aware of a breach notice, so perhaps Notre Dame gave him access to this data?

Illinois Republican gubernatorial candidate Andy McKenna’s campaign “pilfered” NDU alumni info – alumnus

January 30, 2010 by Dissent Filed under Breaches, Featured Headlines, U.S.

A Notre Dame University alumnus, Gary Caruso, has taken to the Web to question how Notre Dame University Alumni Association records were obtained by Illinois Republican Gubernatorial candidate Andy McKenna’s campaign.

According to Caruso, McKenna is an alumnus of NDU and those alumni who were in his class have found themselves on the receiving end of campaign mailings that used email addresses and/or postal addresses known only to the NDU Alumni Association.

Caruso writes:

…. the inappropriate mining of Notre Dame alumni data by other Domers in support of McKenna is a breach of political ethics [There is no such thing as “political ethics” Bob] inexcusable for any Notre Dame graduate. The University officially bans the use of lists for solicitations, and institutes electronic limits on downloads to a maximum of 500 files. Unfortunately, the McKenna campaign circumvented those limitations which ultimately phished me into their digital campaign net.

Last Friday, at University President Fr. John Jenkins’ Washington, D.C., reception following the Right to Life March, I sat at length discussing the e-mail data breach with several University officials including those from our alumni association office. They emphasized their guiding principle of neutrality and privacy protections with all proprietary data collected from alumni. They further clarified the University’s policy to me and acknowledged that they are well aware of how McKenna supporters maneuvered around the firewall limitations. I left our discussion with the impression that the breach’s loophole had been closed once and for all.

As one who has tumbled within the rough world of campaigns and developed a thick political skin, the data breach initially in my mind was more of a campaign spam one-ups-man-ship until I heard complaints from others who considered the incident a breach of the University’s trust. Moreover, campaign tactics do not excuse or lessen the deleterious effect such digital maneuvering has within our alumni ranks. For many who leave their politics at the edge of campus, this is not just the phishing of alumni e-mail addresses. It is a break in the trust that they placed in their support for Notre Dame because they believe that they personally are being used as a commodity — good only until the candidacy of McKenna (or any other soliciting alumni) ends.

Caruso’s use of the words “pilfered” and “phish” may not be accurate as there has been no explanation by the NDU Alumni Association as to how this breach occurred and the alumni association has not responded to a request for an explanation as to how this breach occurred.

Ooh! Ooh! I can assign blame. Ask me! Ask me! Let's start with whoever failed to write a breach policy. Then let's add whoever failed to establish a central point of contact. In fact, the easy way to assign blame is to see who will be doing these things now that the “realize” they need new procedures and guidelines.

Ca: Review finds government officials botched handling of privacy breach

January 30, 2010 by admin Filed under Breach Incidents

Rob Shaw and Lindsay Kines report:

Mistakes, missed opportunities and bureaucratic bungling led more than two dozen officials to botch the B.C. government’s response to a major privacy breach, according to a scathing internal review released yesterday.

The investigation found supervisors in four provincial ministries used poor judgment and failed to alert the right people to handle the breach.

But nobody will be fired, because the failure was so widespread across so many officials that it cannot be pinned on one person, concluded the review.

“The judgment exercised in the many decisions made as events unfolded fell short of the due diligence [so fire them all! Bob] that is expected of the public service,” said Allan Seckel, B.C.’s deputy minister to the premier and head of the public service.

The government report follows a series of Times Colonist stories last year that revealed the personal data of 1,400 income-assistance clients was found in the Victoria home of Richard Ernest Wainwright, a supervisor in the youth and special-needs office of the Ministry of Children and Family Development.

Defining the replacement for broadcast TV? I see a business model that churns out lots of really cheap content.

Context is King: How Videos Are Found And Consumed Online

by Guest Author on January 30, 2010

… Let’s examine 8 key factors behind online video consumption

Factor 1: Media is Fragmenting

According to a recent NY Times article, in the 1952-53 season, more than 30% of American households watched NBC during prime time, according to Nielsen. In fact, up until twenty years ago, you could buy a 30-second spot on CBS, NBC or ABC and reach “everyone.”

Factor 2: Deportalization is Here to Stay

As the media world becomes fragmented and consumers move online, the Web is following a similar path, known as deportalization: the move away from the dominant portals [another word for disintermediation? Bob] of old, as social networks gain huge followings and vertical niche sites gain smaller, but more loyal, followings.

Factor 3: Content is Not a Zero-Sum Game

If we return for a second to television, it’s worth noting that with the advent of cable television, as the number of channels rose, so did overall content consumption.

Factor 4: Content is King?

Indeed, to paraphrase Viacom’s Chairman Sumner Redstone: content becomes more important than distribution mechanisms; as new channels of distribution creep up, it is the content that is always going to be necessary, hence the adage “content is king”.

Factor 5: Demand for Content is Elastic, Supply of Funds is Not

The problem, as you can imagine, is that while it’s perfectly plausible for global advertising to grow, it will not grow fast enough to feed all of the mouths at the creative table.

Factor 6: Chasing Hits Has Proven Futile

Ultimately, overall consumption of media will increase but hits become less frequent and each hit will become more niche.

Factor 7: Discovery vs. Recovery

Exasperating matters is how content is actually unearthed. To borrow from John Battelle’s breakdown of search: videos are found via recovery and discovery.

Factor 8: Size Matters

According to Kaplan, a Pyramid of Content is emerging on the Web.

“Hulu is the best-known platform sitting at the top of the pyramid, in terms of hosting and distributing network content. YouTube, which has long been known for hosting great viral and one-off videos, has owned the bottom of the pyramid.”

The question remains: who will own the middle.

Strategically, they had to do it before the defendant did.

RIAA To Appeal Thomas-Rasset Ruling

Posted by timothy on Friday January 29, @07:04PM from the you-know-they-would dept.

frank_adrian314159 writes

"The RIAA will appeal the ruling that reduced Jammie Thomas-Rasset's $1.92 million fine for file sharing to $54,000. '"It is a shame that Ms. Thomas-Rasset continues to deny any responsibility for her actions rather than accept a reasonable settlement offer and put this case behind her," said RIAA spokeswoman Cara Duckworth.' Joe Sibley, an attorney for Thomas-Rasset, said his client would not settle for the $25,000 that the RIAA has asked for. '"Jammie is not going to agree to pay any amount of money to them," Sibley said, adding that it doesn't matter to Thomas-Rasset whether the damages are $25,000 or $1.92 million.' In addition, Thomas-Rasset's attorneys say that, win or lose, they plan to appeal the constitutionality of the fine."

The very near future. For my students? Computers cheaper than a pair of sneakers?

Video Review of Hivision's $100 ARM-Based Android Laptop

Posted by timothy on Friday January 29, @08:34PM from the toward-marginal-cost dept.

Charbax writes

"The Android laptops are coming. Thanks to cheap ARM-powered laptops made in China, and the latest, most optimized Android software, we can soon buy usable $100 laptops in all the supermarkets. In this video, I test the web browsing speed on the new Rockchip rk2808 ARM9-based PWS700CA laptop by Shenzhen-based Hivision Co Ltd. Web browsing on AJAX-heavy websites is surprisingly snappy, and could only be even faster if ARM11, ARM Cortex A8 or A9 processors were used and if it was configured with slightly more than 128MB RAM. How soon will Google release the $100 Google laptop?"

Tools & Techniques Of course, you would never do this.

Top 3 Cool Secret Mobile Phone Tricks to Have Some Fun With Your Phone

By Dean Sherwin on Jan. 29th, 2010

Friday, January 29, 2010

I would have expected more from PWC. (Auditors certainly know better.)

77,000 Alaskans’ information missing; state settles with firm

January 29, 2010 by admin Filed under Breach Incidents, Government Sector, Lost or Missing, Of Note, Subcontractor, U.S.

Ted Land reports:

Tens of thousands of Alaskans are trying to find out if their personal information is missing. Attorney General Dan Sullivan announced Thursday there’s been a massive security breach reaching the highest levels of state government.

More than 77,000 Alaskans’ personal information is missing. No one knows where it went.


On that list, are Sullivan and Gov. Sean Parnell and more than 77,000 other Alaskans who were participants in the Public Employees Retirement System and the Teachers Retirement System in 2003 and 2004.

“In this case the information that we’re concerned of is names, dates of birth and social security numbers,” Sullivan said.

In the process of an ongoing lawsuit against the state’s former actuary, Mercer, a law firm turned over personal information to the state’s financial experts, PricewaterhouseCoopers, a private firm which was evaluating the list as part of the lawsuit.

In early December, PricewaterhouseCoopers realized the names and numbers could not be found.

Read more on KTUU.

BNO News reports more on the state’s settlement with
PricewaterhouseCoopers LLP:

Alaska Attorney General Dan Sullivan said that PricewaterhouseCoopers has accepted responsibility for the security failure.

“Most importantly, the firm has agreed to protect Alaskans by paying for identity theft protection and credit-monitoring, or a security freeze, for each of the 77,000 Alaskans who are potentially affected by this failure and by ensuring that Alaskans are reimbursed for losses that they might incur as a result of ID theft caused by this breach,” [Very unusual! Bob] Sullivan announced.

Sullivan also noted that other provisions of the settlement protect the state’s finances by, for example, requiring PricewaterhouseCoopers to pay for up to $100,000 of the cost of notifying affected individuals.

[From the BNO News:

The state was notified of PwC’s security failure last week and obtained the data files containing specific information about the Alaskans involved Friday. [Notification took a month and a half? Bob]

[From KTUU:

The state says it is not going to sue PricewaterhouseCoopers. [Perhaps that explains the generous(?) terms offered by PWC BOb]

If you can't trust the tax man, who can you trust?

Oklahoma tax domain offering tax help and Malware

by Steve Ragan - Jan 28 2010, 14:34

The official tax site for Oklahoma is offering more than just tax help, AVG’s Roger Thompson says. The portal for the Oklahoma Tax Commission has been hijacked, and as of 10:00 a.m. this morning is still serving malicious PDF files to anyone simply visiting the main page.

This may be skewed toward retail, but is still interesting.

The State of Computer Security in the UK

January 29, 2010 by admin Filed under Commentaries and Analyses

eSecurity Planet reports:

British security consulting firm 7Safe and the University of Bedfordshire have released the UK Security Breach Investigations Report 2010, which looks at the current state of computer security in the UK through an analysis of actual data breaches.

Key findings include the fact that 69 percent of data compromises occurred in the retail sector, 85 percent of cases resulted in stolen payment card information, and SQL injection was used in 60 percent of attacks.

The methodology is based on actual incidents investigated by 7Safe:

This work analyses 62 genuine cases of breaches investigated over a period of 18 months. These investigations have been conducted by the digital forensics team at 7Safe. The breaches vary in many ways, including the sector they belong to, the number of records at risk and the sophistication of the attack. This report presents statistics on the investigations and discusses the data to provide a greater understanding of underlying trends.

The free report can be accessed here.

(Related) Not retail, but they are still after financial data – although the title might suggest otherwise.

Report: Critical Infrastructures Under Constant Cyberattack Globally

By Kim Zetter January 28, 2010 2:30 pm

… About 55 percent of respondents in the energy and power and the oil and gas sectors reported that the attackers most often targeted the SCADA or other operational control systems, although the survey offers no indication of how successful these attacks were.

Only 57 percent of respondents across all sectors said their organization installed security patches and updated software on a regular schedule.

The report, “In the Crossfire: Critical Infrastructure in the Age of Cyberwar,” was commissioned by anti-virus firm McAfee and coordinated by the Center for Strategic and International Studies in Washington, DC.

These guys must be innocent because apparently they have nothing to worry about.

Experts Urge Secretary Clinton to Act on International Privacy Convention

January 29, 2010 by Dissent Filed under Govt


Twenty-nine experts in privacy and technology have sent a letter to US Secretary of State Hillary Clinton to urge that the United States begin the process of ratification of the Council of Europe Convention on Privacy. More than forty countries have ratified the Convention, which was opened for signature on January 28, 1981. The letter calls attention to Secretary Clinton’s recent remarks on Internet Freedom and the Madrid Declaration in which civil society groups have urged countries that have not yet ratified the Council of Europe Convention to do so as soon as possible. The signatories state, “privacy is a fundamental human right. In the 21st century, it may become one of the most critical human rights of all.”

More likely, it will raise the value of hacker/stalkers...

Will an Expanded Right of Privacy Deter China’s Internet Vigilantes?

January 29, 2010 by Dissent Filed under Featured Headlines, Internet, Legislation, Non-U.S.

Stanley Lubman writes:

A new legal development in China could have broad implications for domestic internet users – and, more significantly, for meaningful legal reform.

The comprehensive Tort Liability Law that was passed in late December by the China’s National People’s Congress includes a provision that gives citizens the right to sue for infringement of their privacy, which thereby solidifies the legal foundation of that right (Chinese text available here). If the law is applied by the courts without Party interference, it could limit the growing practice of using the internet to harass and vilify people deemed by internet users to have committed criminal or improper acts.


The law (Articles 2 and 6) creates liability for anyone who has infringed on and damaged “civil rights and interests” of others, and includes a generally stated “right of privacy” (not otherwise defined) in a list of protected interests, including the right to reputation. An injured party may also sue an employer whose employees caused the injury in the course of their employment (Art. 34). Also subject to suit are internet service providers that are used to infringe on the “civil rights and interests” of another person, or are aware that users are committing the tort and do not take necessary measures to cease the offending action after being notified of it (Art. 36). (A summary is available here in PDF format.)

Read more in the Wall Street Journal.

Shouldn't they ask the school to produce everything every student has ever put online (they weren't targeting just one student were they?) and everything every school official ever posted online (just to have their lawyer on record saying “It isn't related to anything at school.”

School Punished Kid for Video, Dad Says

January 29, 2010 by Dissent Filed under Court, Youth

Tish Kraft reports on Courthouse News:

A dad says Roseville Joint Union High School District unfairly threw his son off the Granite Bay High School basketball team because the boy produced a parody video about hip-hop music and the youth drug culture and posted it on Youtube. The boy and his friends did the video on their own time, in the summer, according to the complaint in Placer County Court.

The father wants to see all the email messages, counselors’ and basketball records and other items regarding the district’s decision to retaliate against his son.

Plaintiff Mike Harris says he asked to see the records documenting “the manner in which the district learned about and reacted to” his son’s video. After submitting a written request, he says he was allowed to see his son’s cumulative and disciplinary files, but nothing else. Miller wants to see the complete record.

A copy of the complaint can be found here.

If I was wearing my paranoid hat (something I never take off) I would be starting to think that the government might have discovered something exceptionally useful in all that phone data and are putting up such a determined defense to keep any hint of whatever it is from leaking.

Obama Speaks Transparency, Practices Subterfuge

By David Kravets January 28, 2010 7:00 pm

… When it comes to Obama transparency, Electronic Frontier Foundation privacy attorney Kurt Opsahl points out that the chief executive told the American public one thing Wednesday night and a federal appeals court another just a few weeks ago. [Politicians call that governing, everyone else calls it lying. Bob]

The issue at hand surrounds lobbying. “It’s time to require lobbyists to disclose each contact they make on behalf of a client with my administration or Congress,” the president said during his televised address.

But, before the 9th U.S. Circuit Court of Appeals last month, the Justice Department argued that it should not have to disclose the names of telecommunication industry lobbyists. Those companies successfully lobbied Congress and President George W. Bush in 2008 to approve legislation that provided their companies with retroactive immunity to lawsuits accusing them of funneling, without warrants, all domestic electronic communications to the National Security Agency.

What have I told you about giving away hacker secrets? Now I won't be able to read Paris Hilton's emails!

80% of Cell Phone Encryption Solutions Insecure

Posted by timothy on Thursday January 28, @06:21PM from the nsa-working-on-the-rest dept.

An anonymous reader writes

"Mobile Magazine writes about a blogger named Notrax who has tested 15 methods of secure encryption for mobile phones; out of those he found only 3 could not be cracked at some level. '12 of them were "worthless." It's easy to take the software at face value when it "tells you" that the call is secured. But how does someone actually go about being sure that it is secured? Notrax did some digging and discovered he could break in to almost all of them in under 30 minutes.'"

(Above link is to a slightly older description of Notrax's approach; then, it was 9 out of 10 products that were worthless, instead of 12 out of 15.)

Some more on Apple. There are lots iPad questions (on security, low resolution display, sticking with AT&T, etc.) But allowing Internet calls has the potential to kill some phone companies (not a bad thing) Can AT&T ride it to survivor-land?

Video VoIP calls over iPhone 3G? You betcha

by Jessica Dolcourt January 28, 2010 1:49 PM PST

Apple may have focused all its laser-beam attention on the iPad at Wednesday's press event, but that wasn't the computing giant's only announcement. Effective immediately, Apple has given up blocking voice-over-IP (VoIP) calls over 3G data networks on the iPhone, and has changed the SDK to reflect the allowance. Of course, your carrier has to also comply for VoIP calls to work over 3G in addition to Wi-Fi. Luckily for us, AT&T in the U.S. is already on board.

Just because ...

10 Cool Online Apps and Interactive Features Offered by NASA

By Ryan Dube on Jan. 28th, 2010

Thursday, January 28, 2010

Today is a good day to discuss privacy!

Google's Privacy Principles

1/27/2010 07:00:00 PM

Thursday, January 28th marks International Data Privacy Day. We're recognizing this day by publicly publishing our guiding Privacy Principles.

  • Use information to provide our users with valuable products and services.

  • Develop products that reflect strong privacy standards and practices.

  • Make the collection of personal information transparent.

  • Give users meaningful choices to protect their privacy.

  • Be a responsible steward of the information we hold.

If you are out of control enough to allow hard drives to walk out the door, you are highly unlikely to have control over your data inventory, now are you?

(update) Missing National Archives hard drive contained more data than previously estimated

January 27, 2010 by admin Filed under Government Sector, Lost or Missing

The National Archives breach involving White House staff and visitors seems to be one of those breaches where after almost a year, estimates of number of people affected are still emerging and increasing. An article on Roll Call indicates that personal information on 250,000 Clinton administration staff and White House visitors sent to the National Archives was on a computer hard drive that disappeared nearly a year ago. Last month, the National Archives warned 150,000 people after initially warning 26,000.

Could we be setting foreign policy based on some smart crooks? If Google doesn't have the forensic expertise to make a solid determination, who does?

Was Operation Aurora really just a conventional attack?

by Steve Ragan - Jan 27 2010, 18:30

There are a lot of questions surrounding the Aurora attacks. From the very start, after internal investigations at Google, the blame was quickly placed on China. Further Malware analysis from several independent security researchers supported this theory. Yet, despite all the research and news, the evidence simply can’t hold the weight that China’s government condoned or ordered the attacks.

For your Security Manager (and whoever can ban the use of Internet Explorer) This is why you need to Design for Security!

IE Windows vuln coughs up local files

January 27, 2010 by Dissent Filed under Internet

Dan Goodin reports:

If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive.

The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once an IE user visits the booby-trapped site, the webmaster has complete access to the machine’s C drive, including files, authentication cookies – even empty hashes of passwords.

Read more in The Register.

[From the article:

Microsoft's "rapid response team" didn't reply to an email, but a statement sent to other news outlets said the company is investigating the vulnerability and isn't aware of it being exploited in the wild. [First rule of Hacking: When you find a vulnerability. SHUT UP! Bragging leads to fixes. Bob]

The hole is difficult to close because the attack exploits an array of features IE users have come to rely on to make web application work seamlessly.

… "The things we are reporting are not bugs, they are features," Medina said. "They are needed for many applications to work, so [Microsoft] can't simply remove or truncate" them

Who has the FCC's ear? As Hernando (and any politician) would say: “It is better to look Neutral than to be Neutral.”

FCC's Net Neutrality Plan Blocks BitTorrent

Posted by CmdrTaco on Thursday January 28, @09:35AM from the well-of-course-it-does dept.

master_p writes

"The FCC's formally issued draft net neutrality regulations have a huge copyright loophole in them; a loophole that would theoretically permit Comcast to block BitTorrent just like it did in 2007 — simply by claiming that it was "reasonable network management" intended to "prevent the unlawful transfer of content." The new proposed net neutrality regulations would allow the same practices that net neutrality was first invoked to prevent, even if these ISP practices end up inflicting collateral damage on perfectly lawful content and activities."

Big Brother will make your life simpler! No need to go to the polls! We will can cast your vote based on your face! Thank you for voting for Big Brother!

Political Affiliation Can Be Differentiated By Appearance

Posted by samzenpus on Wednesday January 27, @01:06PM from the if-it-looks-like-a-liberal-and-quacks-like-a-liberal dept.

quaith writes

"It's not the way they dress, but the appearance of their face. A study published in PLoS One by Nicholas O. Rule and Nalini Ambady of Tufts University used closely cropped greyscale photos of people's faces, standardized for size. Undergrads were asked to categorize each person as either a Democrat or Republican. In the first study, students were able to differentiate Republican from Democrat senate candidates. In the second, students were able to differentiate the political affiliation of other college students. Accuracy in both studies was about 60% — not perfect, but way better than chance."

There are several ways to do this, the immediate counter is to block them all... I'll be looking for details of their “solution”

Twitter Developing Technology To Thwart Censorship

Posted by samzenpus on Wednesday January 27, @08:50PM from the unblockable-force dept.

SHMG writes

"Micro-blogging site Twitter is developing technology that will prevent government censorship, after Iran and China moved to censor its users. Speaking at the World Economic Forum, Twitter CEO and co-founder Evan Williams said the company was working on 'hacks' to stop any blocking by foreign governments. 'We are partially blocked in China and other places and we were in Iran as well,' he said. 'The most productive way to fight that is not by trying to engage China and other governments whose very being is against what we are about.'"

Think of this as an assertion that “We didn't stab that gunshot victim..”

Barnes & Noble Reassures Customers That It Has Never Shared Credit Card Information with Discount Clubs

January 27, 2010 by Dissent Filed under Businesses, Court

From Dow Jones Newswires:

Barnes & Noble Inc. (BKS) confirmed it received a subpoena involving an investigation into alleged online retail fraud, although the company stressed it doesn’t turn over personal or credit-card information to online discount clubs.

“Customers should be reassured that their personal information, including credit- and debit-card information is not and never has been shared with discount clubs,” said President William Lynch.

The company, along with 21 other online merchants, is under investigation by New York Attorney General Andrew M. Cuomo for allegedly linking consumers with discount promotions that end up charging them illegal fees.

The programs are run by third-party companies that charge unauthorized fees under the guise of discount offers and also receive consumers’ credit-card numbers, Cuomo said. The merchants subpoenaed have deals with three major companies that offer the discount programs: Webloyalty, Affinion/Trilegiant and Vertrue.

Read more on CNN.

[From the article:

It said that, when consumers complete a purchase on its Web site, they are presented with a Webloyalty advertisement offering a discount. If the consumer were to click on the ad, a message would signal that the consumer is leaving the Barnes & Noble Web site and is subject to Webloyalty's terms and conditions.

… When asked about the company's plan to continue its relationship with Webloyalty, a Barnes & Noble spokeswoman declined to comment.

New frontiers is no longer a plank in the Democratic platform? Perhaps we should do things not “because they are hard”

Obama Choosing NOT To Go To the Moon

Posted by CmdrTaco on Wednesday January 27, @01:00PM from the selling-out-the-future dept.

bonch writes

"Obama's budget proposal will contain no funding for the Constellation program, which was to send astronauts to the moon by 2020. Instead, NASA will be focused on terrestrial science, such as monitoring global warming. One anonymous official said: 'We certainly don't need to go back to the moon.'" [“They ain't no voters there!” Bob]

Tools & Techniques Teaching - Making The Job Of Teachers Simpler

Kubbu can be termed a tool for e-learning which is available to teachers everywhere. Using it, any such professional can come up with activities to keep his students engaged, and enhance the learning experience on the whole.

Tools & Techniques Use this as images in website links.

ShrinkTheWeb: Automatically Creates Web Screenshot Thumbnails

Tools & Techniques Research Or, create an aggregate page instead of the list of useful links I prepare for each class.

Memonic: Easily Store & Organize Web Content

Similar tool: Cloverr and Clipmarks.

The first feedback I've had from my Apple-geek friends isn't so positive. These articles seem to agree:

7 Essential Features Left Off of the iPad

iPad DRM endangers our rights

Humor? Unfortunately not... My wife wants to buy a GPS, so she can constantly tell me where to go.

Let your own voice tell you where to go with the Garmin GPS voice studio

Wednesday, January 27, 2010

Interesting on many levels. On the face of it, the bank didn't follow its own security procedures. If the court determines that the bank's security was NOT reasonable, how many cans of worms does that open? (One test: Did any of their customers ask for more security?) Will this 'less than stellar' treatment of a customer result in flight of their small business accounts?

Texas Bank Sues Customer Hit by $800,000 Cyber Heist

January 26, 2010 by admin Filed under Breach Incidents, Business Sector, Of Note

Brian Krebs reports:

A machine equipment company in Texas is tousling with its bank after organized crooks swiped more than $800,000 in a 48-hour cyber heist late last year. While many companies similarly victimized over the past year have sued their banks for having inadequate security protection, this case is unusual because the bank is preemptively suing the victim.

Both the victim corporation – Plano based Hillary Machinery Inc. – and the bank, Lubbock based PlainsCaptial, agree on this much: In early November, cyber thieves initiated a series of unauthorized wire transfers totaling $801,495 out of Hillary’s account, and PlainsCapital managed to retrieve roughly $600,000 of that money.

PlainsCaptial sued Hillary on Dec. 31, 2009, citing a letter from Hillary that demanded repayment for the rest of the money and alleged that the bank failed to employ commercially reasonable security measures. The lawsuit asks the U.S. District Court for the Eastern District of Texas to certify that PlainsCapital’s security was in fact reasonable, and that it processed the wire transfers in good faith. The documents filed with the court allege that the fraudulent transactions were initiated using the defendant’s valid online banking credentials.

Read more on KrebsonSecurity

[From the article:

Owen said the transfers appear to have been initiated from computers in Romania and Italy, among others, and sent to accounts in Ukraine, Russia and other Eastern European nations.

According to a Nov. 12 memo that Owens said PlainsCapital shared with him, the institution’s commercial banking platform requires that each customer not only enter a user name and password, but also “register” their computer’s Internet address by entering a secure access code sent to the e-mail address on file for the customer.

The bank’s memo states that on Nov. 8, secure access code e-mails were sent to a Hillary e-mail address, but that the request came from a computer with an Internet address in Italy. The memo further states that the actual wire transfer requests were made from computers with Internet addresses in Romania.

… Transaction logs shared by Hillary indicate that the majority of the unauthorized transfers were international wires for roughly $100,000 each. But at least $60,000 of the money was sent to more than two dozen money mules, willing or unwitting accomplices in the United States who are often recruited through work-at-home job scams.

A copy of the bank’s complaint against Hillary Machinery is available here (PDF).

Who benefits? This would make sense if China wanted to get into the oil producing business.

US oil industry hit by cyberattacks: Was China involved?

MONITOR EXCLUSIVE: Breaches show how sophisticated industrial espionage is becoming. The big question: Who’s behind them?

At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.

The oil and gas industry breaches, the mere existence of which has been a closely guarded secret of oil companies and federal authorities, were focused on one of the crown jewels of the industry: valuable “bid data” detailing the quantity, value, and location of oil discoveries worldwide, sources familiar with the attacks say and documents obtained by the Monitor show.

Just to help you think about Privacy

Help EFF Research Web Browser Tracking

January 27, 2010 by Dissent Filed under Featured Headlines, Internet

Data Privacy Day is tomorrow. Wouldn’t it be a good activity to take part in an experiment on how your online patterns can identify you? Peter Eckersley explains:

What fingerprints does your browser leave behind as you surf the web?

Traditionally, people assume they can prevent a website from identifying them by disabling cookies on their web browser. Unfortunately, this is not the whole story.

When you visit a website, you are allowing that site to access a lot of information about your computer’s configuration. Combined, this information can create a kind of fingerprint — a signature that could be used to identify you and your computer. But how effective would this kind of online tracking be?

EFF is running an experiment to find out. Our new website Panopticlick will anonymously log the configuration and version information from your operating system, your browser, and your plug-ins, and compare it to our database of five million other configurations. Then, it will give you a uniqueness score — letting you see how easily identifiable you might be as you surf the web.

Adding your information to our database will help EFF evaluate the capabilities of Internet tracking and advertising companies, who are already using techniques of this sort to record people’s online activities. They develop these methods in secret, and don’t always tell the world what they’ve found. But this experiment will give us more insight into the privacy risk posed by browser fingerprinting, and help web users to protect themselves.

To join the experiment:

To learn more about the theory behind it:

The land of Big Brother is also spawning lots of Little Brothers.

EU To Assess Virgin Media Surveillance Software

January 26, 2010 by Dissent Filed under Internet, Non-U.S.

Virgin Media may have to put its plans to trial a tool that can monitor illegal file-sharing [More accurately, monitor all Internet activity to attempt to identify illegal file transfers, which (without copies of licenses or contracts) they can not do. Bob] over the Internet on hold, after the European Commission said it would investigate the legality of the software.

It was last November when Virgin Media broke ranks with its fellow service providers and said that it was trialling new technology from data collection specialist Detica, which would allow it to monitor file sharing over the Internet.

The government outlined its plans to cut off illegal file-sharers in the Queen’s Speech last year, with its Digital Economy Bill, which gives Lord Mandelson the ability to get tough on file-sharing. But the government’s clamp down has not gone down well with the UK Internet Service Providers Association (ISPA), as well as ISP TalkTalk.

And now it seems that the EU is to investigate Detica’s CView software, following a complaint from Privacy International.

Read more on eWeek Europe.

Just because I love extending my vocabulary.

Champerty and Other Common Law We Could Use Today

Posted by kdawson on Wednesday January 27, @02:17AM from the officious-intermeddling dept.

pevans writes

"Over on Red Hat's I found this neat summary of a few old laws that could really help us today with the patent trolls. The article 'What's wrong with champerty?' is brief, but full of legal goodness that seems to have fallen by the wayside: 'Let's bring back barratry, maintenance, and champerty for patent lawsuits. Combine that with a limitation on the assignment of patents and a lot of patent trolls would be out of business. patents have to be freely assignable? And why can't we prohibit a cause of action for patent infringement where there is no net gain to society?"

I've blogged about this earlier, but this is the first link to the report I've seen.

January 26, 2010

Kaiser Foundation - Most Youth Say They Have No Rules About How Much Time They Can Spend With TV, Video Games, or Computers

Kaiser Family Foundation resource links: "With technology allowing nearly 24-hour media access as children and teens go about their daily lives, the amount of time young people spend with entertainment media has risen dramatically, especially among minority youth, according to a study released by the Kaiser Family Foundation. Today, 8-18 year-olds devote an average of 7 hours and 38 minutes (7:38) to using entertainment media across a typical day (more than 53 hours a week). And because they spend so much of that time ‘media multitasking’ (using more than one medium at a time), they actually manage to pack a total of 10 hours and 45 minutes (10:45) worth of media content into those 7½ hours. The amount of time spent with media increased by an hour and seventeen minutes a day over the past five years, from 6:21 in 2004 to 7:38 today. And because of media multitasking, the total amount of media content consumed during that period has increased from 8:33 in 2004 to 10:45 today.

  • Generation M2: Media in the Lives of 8- to 18-Year-Olds is the third in a series of large-scale, nationally representative surveys by the Foundation about young people’s media use. It includes data from all three waves of the study (1999, 2004, and 2009), and is among the largest and most comprehensive publicly available sources of information about media use among American youth."

(Related) First release, but it was announces a couple of days ago.

January 26, 2010

Ponemon 2009 Annual Study: Cost of a Data Breach

"This 2009 Poenemon Institute2009 Annual Study: Cost of a Data Breach - Understanding Financial Impact, Customer Turnover, and Preventive Solutions examines the costs incurred by 45 organizations after experiencing a data breach. Results were not hypothetical responses; they represent the cost estimates of activities resulting from the actual data loss incidents. This is the fifth annual survey of this issues. Breaches included in the survey included ranged from approximately 5,000 records to more than 101,000 records from 15 different industry sectors."

(Related) Yet another report

Hacker Attacks Targeting Healthcare Organizations Doubled in the 4th Quarter of 2009 According to SecureWorks

January 26, 2010 by admin Filed under Commentaries and Analyses, Of Note

SecureWorks®, Inc., a provider of information security services protecting 2,700 clients worldwide, reported today that attempted hacker attacks launched at its healthcare clients doubled in the fourth quarter of 2009. Attempted attacks increased from an average of 6,500 per healthcare client per day in the first nine months of 2009 to an average of 13,400 per client per day in the last three months of 2009. Attempted attacks against other types of organizations, protected by SecureWorks, did not increase in the fourth quarter.

“From October through December of 2009, we blocked hundreds of SQL Injection and Butterfly/Mariposa Bot malware attacks launched at our healthcare clients. These attempted attacks were responsible for the increase in our attack statistics,” said Hunter King, security researcher with SecureWorks’ Counter Threat Unit(SM) (CTU).

Source: SecureWorks press release

I don't know how Harvard does it. With so many apparently horrific examples of bad management, how do they select just a few cases to teach from each year? Question: Do they have Class Action lawyers in Canada? (We'll find out soon if they do.)

Canadian Android Carrier Forcing Firmware Update

Posted by kdawson on Tuesday January 26, @11:19PM from the monopoly-rents dept.

Wolfier writes

"For wireless carrier Rogers in Canada, it seems that 'Customer Safety' only becomes a concern after months of neglect. Rogers is the only GSM carrier in Canada and so the only choice for Android users. Months ago, a customer called Rogers to report a firmware bug that was preventing users from making 911 calls under certain circumstances, and informed the carrier that Google had fixed the bug (recording of that call). But Rogers is only doing something about it now — namely, cutting data access of paying customers until they accept a mandatory firmware upgrade that not only fixes the 911 problem, but also contains 'extra' features that prevent users from ever gaining root access to their phones — even non-subsidized ones. And some phones are also getting bricked by this 'official' update. The moral: we really need to open up the competition here up North."

Is this a market opportunity? Would an app that connects you to guidelines for various types of emergencies find a market? Connect it to live experts and emergency services and it just might.

A Closer Look at Haiti Quake Survivor’s Use of Tech

By Brian X. Chen January 26, 2010 5:16 pm

Looks like all the lawyers will need to be retrained.

Tuesday, January 26, 2010

A First Look at WestlawNext

… WestlawNext completely changes the search interface and the search engine behind it. ... This new search engine does not just look at the terms you enter, a West executive said. Rather, it tries to identify the issue of law based on the terms you searched.

Tools & Techniques

Fulfill Your Screen Capturing Needs With Bug Shooting

By Tim Lenahan on Jan. 26th, 2010

… If you are trying to write a tutorial or manual for a software application, whether it’s for your mother or a potential client, screen shots are almost always needed.

Bug Shooting works on Windows XP and Vista (32-bit) and requires Microsoft .NET Framework 2.0.


How to Take Easy Screenshots with Lightscreen Portable

… As you can also tell from reading articles here is that there are a few different software options when you want to take screenshots. There’s the PrtSc Button, Gadwin PrintScreen, Jing, and Wink (from Ben’s article, 4 Tools For Creating Screenshots and Screencasts). Also check out Ann’s post, All You Need For Making Awesome Screenshots.

This article is about the tool I use to take screenshots, Lightscreen Portable. There are several reasons I choose to use Lightscreen Portable including ease of use, stability, and portability.

Tools & Techniques Be careful what you automate. It may allow me to signin to your bank account and empty it to my Cayman Islands accout.

Dejaclick: A Web Activity Recording & Bookmarking Tool (Firefox)

… Is logging into your three email accounts the first thing that you do after switching on your computer? Are you tired of entering the usernames and passwords each time?

We tend to perform a lot of repetitive tasks using our computers and for that reason most professional desktop software such as Microsoft Word and Adobe Photoshop have long supported macros – a activity recording of the series of steps required to perform a given task that can be saved and called (played) later at will.

Dejaclick brings the same functionality to webpages. It is a web recording utility for Firefox.

  • No limit on the number of steps a recording can have.

  • Saves encrypted recordings where passwords are involved.

… Get Dejaclick @

Because occasionally my website students actually want to build a website.

13 Easy And Powerful Website Building Tools To Create Your Free Site

January 25, 2010