Saturday, March 27, 2010

Now I've got the attention of my Computer Security students.

http://www.databreaches.net/?p=10875

Student loan company: Data on 3.3M people stolen

March 27, 2010 by admin

From the Associated Press:

A company that guarantees federal student loans said Friday that personal data on about 3.3 million people nationwide has been stolen from its headquarters in Minnesota.

Educational Credit Management Corp. said the data included names, addresses, Social Security numbers and dates of birth of borrowers, but no financial or bank account information.

The data was on “portable media” that was stolen sometime last weekend, ECMC said in a statement.

Read more on Updated News.

ECMC’s statement is prominently linked from ECMC’s home page at the time of this posting.

Kevin Diaz of the Star Tribune adds that “Congressional sources said the data were stored on discs contained in a safe.”

[From the Star Tribune article:

U.S. Department of Education officials said it is believed to be one of the biggest cases of student identity theft in the nation, affecting 5 percent of all students with federal loans in the United States.



I'd lie to meet whoever negotiated this plea. I'd like to know what would have come out in court.

http://www.wired.com/threatlevel/2010/03/heartland-sentencing/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Hacker Sentenced to 20 Years for Breach of Credit Card Processor

By Kim Zetter March 26, 2010 3:11 pm

BOSTON — Convicted TJX hacker Albert Gonzalez was sentenced to 20 years and a day, and fined $25,000 on Friday for his role in breaches into Heartland Payment Systems, 7-Eleven and other companies.

The sentence will run concurrently with a 20-year sentence he received on Thursday in two other cases involving hacks into TJX, Office Max, Dave & Busters restaurants and others, so it adds only one day to his total prison term. Restitution will be decided at a future hearing.


(Related) I don't remember getting a letter from JC Penny...

http://www.databreaches.net/?p=10878

JC Penney, Wet Seal: Gonzalez Mystery Merchants

March 27, 2010 by admin

While major news sources rushed to report yesterday that Albert Gonzalez was sentenced yesterday to 20 years plus one day for the Heartland Payment Systems breach, a term to run concurrently with his other sentence, Brooklynne Kelly Peters and Evan Schuman of StorefrontBacktalk led with providing the answer to a question many of us had: who were the two unidentified retailers who were also hit by the hacking ring?

JCPenney and Wet Seal were both officially added to the list of retail victims of Albert Gonzalez on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and removed the seal from their names. StorefrontBacktalk had reported last August that $17 billion JCPenney chain was one of Gonzalez’s victims, even though JCPenney’s media representatives were denying it.

Good for Judge Woodlock! [Agree! Bob] The blog reports that despite the retailers’ efforts to prevent disclosure of their identities, the judge ruled in favor of disclosure:

“I’m not convinced,” Woodlock said, adding that he believed that both retailers should have announced their involvement from the start, that consumers had the right to know. He said he would not provide the companies “insulation from transparency.”

The judge stressed that the companies were seeking privacy as though they were individual victims, which he said was like “hermaphroditing a business corporation.” Back in November, an attorney for J.C. Penney asked the judge to protect its “dignity,” phrasing that might have set his Honor off.

Read more on StorefrontBacktalk.

[From Storefront:

Michael Ricciuti, in Boston federal court Friday, argued to the judge that no consumers were impacted by the breach as the data grabbed from JCPenney was not sufficient to create bogus cards. Ricciuti added that there was therefore no need for consumers to know the company’s vulnerabilities.


(Related) Perhaps we should forward this to JC Penny and Wet Seal?]

http://www.databreaches.net/?p=10882

Federal Information Security and Data Breach Notification Laws

March 27, 2010 by admin

From Congressional Research Service:

Federal Information Security and Data Breach Notification Laws

Gina Stevens

Legislative Attorney

January 28, 2010

The following report describes information security and data breach notification requirements included in the Privacy Act, the Federal Information Security Management Act, Office of Management and Budget Guidance, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Fair Credit Reporting Act. Also included in this report is a brief summary of the Payment Card Industry Data Security Standard (PCI DSS), an industry regulation developed by VISA, MasterCard, and other bank card distributors.

Information security laws are designed to protect personally identifiable information from compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other situations where unauthorized persons have access or potential access to such information for unauthorized purposes. Data breach notification laws typically require covered entities to implement a breach notification policy, and include requirements for incident reporting and handling and external breach notification.

Expectations of many are that efforts to enact data security legislation will continue in 2010. In the first session of the 111th Congress the House passed H.R. 2221 (Rush and Stearns), the Data Accountability and Trust Act, which would apply only to businesses engaged in interstate commerce, and require data security programs and notification of breaches to affected consumers. The Senate Judiciary Committee approved S. 139 (Feinstein), the Data Breach Notification Act, which would apply to any agency, or business engaged in interstate commerce; and S. 1490 (Leahy), the Personal Data Privacy and Security Act of 2009, which would apply to business entities engaged in interstate commerce and require data security programs and notification to individuals affected by a security breach. S. 1490 also includes data accuracy requirements for data brokers, and requirements concerning government acccess to and use of commercial data.

For related reports, see the Current Legislative Issues Web page for “Privacy and Data Security” available at http://www.crs.gov/Pages/subissue.aspx?cliid=2105&parentid=14. This report will be updated.

Full Report (pdf) via Docuticker.



Predicting the joy of Electronic Health Records.

http://www.phiprivacy.net/?p=2307

EMR Data Theft Booming

By Dissent, March 26, 2010 12:48 pm

Nicole Lewis reports:

Acceleration in the use of electronic medical records may lead to an increase in personal health information theft, according to a new study that shows there were more than 275,000 cases of medical information theft in the U.S. last year. Unlike stealing a driver’s license or a credit card, data gleaned from personal health records provides a wealth of information that helps criminals commit multiple crimes, according to Javelin Strategy & Research, a Pleasanton, California-based market research firm.

Information such as social security numbers, addresses, medical insurance numbers, past illnesses, and sometimes credit card numbers, can help criminals commit several types of fraud. These may include: making payments from stolen credit card numbers and ordering and reselling medical equipment by using stolen medical insurance numbers.

A key finding from the report is that fraud resulting from exposure of health data has risen from 3% in 2008 to 7% in 2009, a 112% increase.

Read more on InformationWeek.

[From the article:

Van Dyke's prediction is that as medical providers increase their use of electronic medical records, the incidents of fraud will increase. [That prediction falls into the “Well, Duh!” category. Bob]

"We think medical providers aren't up to the task. They won't have security best practices in place to match the incidents of fraud, and we think theft of personal health information is going to get worse," Van Dyke said.

… The study also found that there's a big difference between the misuse of data obtained through medical records, compared to other types of identity theft. For example, on average, criminals use information from medical records to commit fraud for 320 days as opposed to 81 days of misuse of information from other types of identity theft.

Additionally, it takes more than twice the time to detect medical information fraud and the average cost is $12,100, more than twice the cost for other types of identify theft.



Another site that aggregates information easily available on the Internet. Lots of bad information, but lots of accurate information too. Type your name and see for yourself. To “Opt out” you just give them more information...

http://www.pogowasright.org/?p=8589

Your personal information posted online

March 27, 2010 by Dissent

Jeremy Wolf reports:

It can list your address, a picture of your home, how much it cost, how long you have lived there, your approximate age and income, your relationship status and more. And it is online for anyone to see.

Spokeo.com takes information from social networking sites like Facebook and Twitter, and from phone books, marketing surveys and real estate listings to create a profile on you without asking.

“Some of the info that’s here on Spokeo is essentially public info and there’s no getting around it. Real estate sales for example,” Steave Beaty, a computer science professor at Metro State College, said.

[..]

In the lower right corner of the page there is a link labeled “Privacy.” Click on “Privacy” and paste the URL in the URL field. Then you need to enter your valid e-mail address and the code listed. Then click “Remove Listing.”

You should then get an e-mail and when you get the e-mail confirmation, you should follow the instructions to complete the removal of your name from the site.

Read more on 9News.



Government as usual. I can't believe Soprano & Soprano would miss an opportunity like this (or half the politicians in NY either)

http://news.slashdot.org/story/10/03/27/1228219/NYC-Drops-722M-On-CityTime-Attendance-System?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

NYC Drops $722M On CityTime Attendance System

Posted by Soulskill on Saturday March 27, @10:20AM

theodp writes

"New York City is reportedly paying 230 consultants an average annual salary of $400K for a computer project that is seven years behind schedule and vastly over budget. The payments continue despite Mayor Bloomberg's admission that the computerized timekeeping and payroll system — dubbed CityTime — is 'a disaster.' Eleven CityTime consultants rake in more than $600K annually, with three of them making as much as $676,000. The 40 highest-paid people on the project bill taxpayers at least $500K a year. Some of the consultants have been working at these rates for as long as a decade."



...and there is no off switch!

http://www.wired.com/wiredscience/2010/03/rfid/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

New RFID Tag Could Mean the End of Bar Codes

Researchers from Sunchon National University in Suncheon, South Korea, and Rice University in Houston have built a radio frequency identification tag that can be printed directly onto cereal boxes and potato chip bags. The tag uses ink laced with carbon nanotubes to print electronics on paper or plastic that could instantly transmit information about a cart full of groceries.

“You could run your cart by a detector and it tells you instantly what’s in the cart,” says James M. Tour of Rice University, whose research group invented the ink. “No more lines, you just walk out with your stuff.”



It is far easier to 'ban' anything we don't understand, rather than learn how to deal with it.

http://yro.slashdot.org/story/10/03/26/1824239/Fixing-Internet-Censorship-In-Schools?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Fixing Internet Censorship In Schools

Posted by Soulskill on Friday March 26, @03:58PM

jcatcw writes

"Schools and libraries are hurting students by setting up heavy-handed Web filtering. The problem goes back for years. A filter blocked the Web site of former House Majority Leader Richard Armey because it detected the word 'dick,' according to a 2001 study from the Brennan Center of Justice. The purpose of schools should be to teach students to live in a democratic society, and that means teaching critical thinking and showing students controversial Web sites, says Craig Cunningham, a professor at National-Louis University. He quoted from a National Research Council study: 'Swimming pools can be dangerous for children. To protect them, one can install locks ... [or] teach them to swim.' Web filtering also leads to inequities in education based on household income. Students from more affluent areas have access to the Internet at home and, often, more enlightened parents who can let them access information blocked in schools and libraries. Poorer students without home access don't have those opportunities."



Keep a sharp eye on those rascally employees.

http://www.bespacific.com/mt/archives/023847.html

March 26, 2010

New Application Can Monitor Employee Use of Social Networks

News release: "Social Sentry provides corporations the ability to monitor the social networking communications of their employees. Delivered as an easy to deploy SaaS offering, Social Sentry enables businesses to monitor employee activity on all major social networks such as Facebook and Twitter. It provides granular and real-time tracking to eliminate significant corporate risks related to: Compliance issues; Leakage of sensitive information; HR issues; Legal exposure; Brand damage; Financial impact."



For your Security Manager. Another example of what can go wrong with “automatic updates”

http://tech.slashdot.org/story/10/03/26/179248/New-Malware-Overwrites-Software-Updaters?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

New Malware Overwrites Software Updaters

Posted by Soulskill on Friday March 26, @02:31PM

itwbennett writes

"Researchers at Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, have found a new type of malware that 'masks itself as an updater for Adobe Systems' products and other software such as Java,' wrote BKIS analyst Nguyen Cong Cuong in a post on the company's blog. BKIS showed screenshots of a variant of the malware that imitates Adobe Reader version 9 and overwrites the AdobeUpdater.exe, which regularly checks in with Adobe to see if a new version of the software is available."



The latest version of “Maybe we can make money this way...” If I had to bet, my money would be on “Not a chance.”

http://news.slashdot.org/story/10/03/27/0356211/The-Times-Erects-a-Paywall-Plays-Double-Or-Quits?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

The Times Erects a Paywall, Plays Double Or Quits

Posted by timothy on Saturday March 27, @05:42AM

DCFC writes

"News International, owners of The Times and The Sunday Times announced today that from June readers will be required to pay £1 per day or £2 per week to access content. Rupert Murdoch is delivering on his threat to make readers pay, and is trying out this experiment with the most important titles in his portfolio. No one knows if this will work — there is no consensus on whether it is a good or bad thing for the industry, but be very clear that if it succeeds every one of his competitors will follow. Murdoch has the luxury of a deep and wide business, so he can push this harder than any company that has to rely upon one or two titles for revenue."



Record labels have never treated their artists as “Clients” – to be protected and nurtured. Why would this be any different?

http://www.motherboard.tv/2010/3/26/beyonce-s-record-company-puts-a-ring-on-her-youtube-channel--2

Of Course, Beyonce's Record Company Puts a Ring On Her YouTube Channel

Posted by Will_Han on Friday, Mar 26, 2010

It’s not really surprising at all: today Beyonce’s official YouTube channel is blocked in the US due to a copyright infringement issue with her own record label, Sony. Below a banner that reads “Congratulations for winning six Grammy Awards” – presumably from Sony, the video for “Single Ladies (Put a Ring On It)” has been replaced by this notice: “This video contains content from Sony Music Entertainment, who has blocked it in your country on copyright grounds.”



I would never say that Microsoft “owns the legislature in Washington” but I can say that they bend over bacward to devise Microsoft-friendly laws.

http://politics.slashdot.org/story/10/03/26/1818241/10-Tax-On-Custom-Software-100M-Tax-Cut-For-Microsoft?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

10% Tax On Custom Software, $100M Tax Cut For Microsoft

Posted by Soulskill on Friday March 26, @03:14PM

reifman writes

"Last week, the Washington State House of Representatives passed a bill which would impose a 10% tax on custom software while all but eliminating a $100 million yearly tax obligation that some say Microsoft is wrongfully avoiding by routing large chunks of business through an office in Nevada. 'I believe we've got an issue of justice and fairness here,' said Rep. Maralyn Chase. 'Most of the custom software purveyors are small businesses. It's a question for me of how we fairly distribute the tax burden.' 'It means that a 5 person team of entrepreneurs building a cool custom software suite, or a group of system integrators, would face a 10% tax on their services while keeping the exact same project in-house would not be taxed,' wrote Rep. Reuven Carlyle. 'It would be a massive blow to the entrepreneurial community in our state.' The bill won't become law until the House and Senate work out how best to raise another $300 million in taxes. A sales tax increase on consumers is also being considered."



For my Computer Security students.

http://news.cnet.com/8301-1023_3-20001250-93.html?part=rss&subj=news&tag=2547-1_3-0-20

Survey: 63% don't change passwords very often

Security firm Symantec on Friday released results of a survey on password management that showed 63 percent of respondents don't change their passwords very often, 45 percent use a few passwords that they alternate for all accounts, and some 10 percent don't change their passwords at all.

These are a startling numbers as, according to the survey, 44 percent of respondents said they have more than 20 accounts that require a password.



For my website students. A “multiple choice” hyperlink.

http://www.killerstartups.com/Web-App-Tools/butns-com-more-intelligent-hyperlinks

Butns.com - More Intelligent Hyperlinks

http://www.butns.com/

Butns is a new technology that will empower you to display hyperlinks that are more intelligent, or richer at the very least. You see, using this site you can come up with hyperlinks that could direct your visitors to several destinations. When they place the pointer over the word in question, a window will pop up displaying the possible destinations that you (as the webmaster) have preconfigured. It is all a mere matter of choosing one and they will be taken straight to it.



Think of this as the Internet equivalent of those Ransom Notes with letters cut form magazines...

http://www.makeuseof.com/dir/picurious-spell-words-with-flickr

PiCurious: Spell Words With Flickr Images

PiCurious is a dead simple and fun tool that lets you spell words with Flickr. Just enter any word and PiCurious will fetch Flickr photos displaying each alphabet of the word. If you don’t like a particular alphabet, just click on it and PiCurious will display a new one.

www.picurio.us/words

Similar tool: Spell With Flickr



Wow! I can grab some background beats for my security-rap lectures!

They call you a Nerd

'least, that's what I've heard

so, make 'em change their password

Word! Word! Word!

http://www.freetech4teachers.com/2010/03/free-royalty-free-music-for-education.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+freetech4teachers%2FcGEY+%28Free+Technology+for+Teachers%29

Friday, March 26, 2010

Free Royalty Free Music for Education

When creating an audio podcast or a video that uses music tracks, the sure way to avoid any worries about copyright infringement is to use music you created. Unfortunately, often that is not a feasible option for a lot of folks. The next best thing to using music you created is to use Creative Commons licensed music or royalty free music. Royalty Free Music hosts music tracks that can be reused in numerous ways. Royalty Free Music charges the general public for their downloads, but students and teachers can download quite a bit of the music for free. To access the free music tracks students and teachers should visit the education page on Royalty Free Music.

Here are some related items that may be of interest to you:

Sound Bible - Free Sound Clips

PodSafe Audio - Sounds for Podcasts

Free Music Archive

Friday, March 26, 2010

Better. A couple of days ago the guy who sold him a sniffer was fined less than he made selling the software (less than the IRS would have taxed him.)

http://www.databreaches.net/?p=10834

Gonzalez sentenced to 20 years for TJX hack

March 25, 2010 by admin

Albert Gonzalez was sentenced today to 20 years in prison for the TJX hack and breaches involving retailers, a new record in sentencing for hacking.* He faced up to 25 years. He has yet to be sentenced in the Heartland Payment Systems breach, but that sentencing is expected tomorrow, and the sentences are expected to run concurrently under a plea agreement struck between the defense and prosecutors.

Kim Zetter reports:

The sentence for the largest and costliest computer-crime case ever prosecuted is the longest ever imposed in a hacking or identity-theft case. And it is among the longest imposed for a financial crime. It beats out a sentence recently imposed on hacker Max Ray Vision, who received 13 years in prison for similar crimes and was ordered to pay $27.5 million in restitution.

Gonzalez, 28, who dubbed his criminal enterprise “Operation Get Rich or Die Tryin’,” argued in court that his only motive was technical curiosity and an obsession with conquering computer networks. But chat logs the government obtained showed Gonzalez confiding in one of his accomplices that his goal was to earn $15 million from his schemes, buy a yacht and then retire.

Read more on Threat Level.

*So far, the record I’ve seen for sentencing in cases involving ID theft is the 309 year sentence handed out to Robert Thompson.


(Related)

http://www.databreaches.net/?p=10847

Dave & Buster’s Settles FTC Charges it Failed to Protect Consumers’ Information

March 25, 2010 by admin

Entertainment operation Dave & Buster’s, Inc. has agreed to settle Federal Trade Commission charges that the company left consumers’ credit and debit card information vulnerable to hackers, resulting in several hundred thousand dollars in fraudulent charges. Dave & Buster’s operates 53 restaurant and entertainment complexes across the country under the names Dave & Buster’s, Dave & Buster’s Grand Sports CafĂ©, and Jillian’s.

Dave & Buster’s will put in place a comprehensive information security program as a condition for settling the case. This is the FTC’s 27th case challenging faulty data security practices by organizations that handle sensitive consumer information.

According to the FTC, Dave & Buster’s collects credit card numbers and expiration dates from customers in order to obtain authorization for payment card purchases. The agency alleges the company failed to take reasonable steps to secure this sensitive personal information on its computer network. Specifically, it failed to:

  • Take sufficient measures to detect and prevent unauthorized access to the network.

  • Adequately restrict outside access to the network, including access by Dave & Buster’s service providers.

  • Monitor and filter outbound data traffic to identify and block the export of sensitive personal information without authorization.

  • Use readily available security measures to limit access to its computer networks through wireless access points.

The FTC alleged that, as a result of these failures, a hacker exploited some of those vulnerabilities, installed unauthorized software and accessed about 130,000 credit and debit cards. The banks that issued the cards have claimed several hundred thousand dollars in fraudulent charges.

The settlement requires Dave & Buster’s to establish and maintain a program designed to protect the security, confidentiality, and integrity of personal information collected from customers. It also requires the company to obtain independent, professional audits, every other year for 10 years, to ensure that the security program meets the standards of the settlement. In addition, the proposed settlement contains standard record-keeping provisions to allow the FTC to monitor compliance.

The Commission vote to approve the complaint and proposed consent order was 4-0. An analysis of the proposed consent order will be published in the Federal Register shortly and will be subject to public comment for 30 days, until April 26, 2010, after which the Commission will decide whether to make it final.

Copies of the complaint, proposed consent agreement, and an analysis of the agreement to aid in public comment are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580.

Source: FTC



Spring is in the air, and students are in your computer system. Like many similar breaches, they claim to have great security and then state they will make many changes because of the breach.

http://www.databreaches.net/?p=10842

Student Hacks Into Valencia High System

March 25, 2010 by admin

Ah, it’s Spring, and young students’ thoughts turn to hacking….

Jeremiah McDaniel reports on yet another case, this one in California:

A Valencia High School student faces criminal charges for hacking into the school’s network.

The student hacked into the system and made changes to information according Paul Preisz, the school’s Principal.

The student had access to everything,” [Which can only happen if they secured nothing... Bob] said Priesz. “He [the student] said that he changed things but then he changed them back.” [But we wouldn't know, because we don't bother logging anything. Bob]

The incident occurred on March 9 and, according to Priesz, he was able to gain access to the entire district’s system but only went into the Valencia portion.

Read more on KHTS AM-1220, Hometown Station



Interesting who the “anonymous” poster was. But if the email addresses were the same, was the Judge actually trying to be anonymous? Her daughter claims she did the posting, so did the paper mis-identify her?

http://www.pogowasright.org/?p=8568

Plain Dealer sparks ethical debate by unmasking anonymous poster

March 26, 2010 by Dissent

Henry J. Gomez reports:

By unmasking an anonymous poster at its companion Web site, The Plain Dealer finds itself in an ethical quandary, stirring a debate that balances the public’s need to know against the privacy concerns of online participants.

On one side are experts who believe the newspaper has violated a trust by exploring and revealing information about a critic. On the other are those, including Plain Dealer Editor Susan Goldberg, who believe that information is too important not to see the light of day.

Until this week, “lawmiss” was known only as one of thousands who, often known only by nicknames, share views on news blogs and stories reported at cleveland.com.

But after investigating a comment directed at the relative of a Plain Dealer reporter, editors learned that lawmiss had the same e-mail address as Cuyahoga County Common Pleas Judge Shirley Strickland Saffold. A closer look revealed that the user had offered opinions on three of Saffold’s cases, including the capital murder trial of accused serial killer Anthony Sowell.

Read more on The Plain Dealer. The article contains reaction statements from a number of organizations and individuals.

Related: Anonymous online comments are linked to the personal e-mail account of Cuyahoga County Common Pleas Judge Shirley Strickland Saffold

What do you think? Should the paper have delved into her identity on the basis of her comments? Even if you agree that once the newspaper knew her identity that it was too newsworthy not to reveal, should they ever have been in the position of knowing her identity?



I haven't seen much about this case, but apparently there is some political value in Privacy...

http://www.pogowasright.org/?p=8557

EFF to Press for New Privacy Protections Against Hidden Video Surveillance in Senate Hearing Monday

March 26, 2010 by Dissent

From EFF:

On Monday, March 29, at 10 a.m., the Subcommittee on Crime and Drugs of the U.S. Senate Judiciary Committee will hold a public hearing in the Philadelphia federal courthouse on whether the federal electronic privacy laws need to be updated to better regulate secret video surveillance. Senior Staff Attorney Kevin Bankston of the Electronic Frontier Foundation (EFF) will testify.

Subcommittee Chairman Arlen Specter called the hearing in response to recent allegations that public schools in the Lower Merion School District in Pennsylvania have secretly used webcams on school-issued laptops to visually monitor students while they were in their homes. At Monday’s hearing, Bankston will urge Congress to update the federal wiretapping statute to protect against secret video surveillance in the same way it protects against secret eavesdropping on private conversations. Such a change to the law would clearly require the government to obtain a search warrant before engaging in secret video surveillance of private places and would protect against similar spying by non-government actors, such as stalkers, computer criminals, private schools, [But not Public Schools? Bob] private employers and others.

“It doesn’t make sense that federal law regulates secret eavesdropping but doesn’t equally protect us from secret video surveillance, which can be even more invasive,” said Bankston. “Just as the federal wiretapping statute protects against electronic eavesdropping, it should also protect against secret video recording, whether in the home or in any other place where people have a reasonable expectation that they are not going to be photographed.”

WHO: Kevin Bankston Senior Staff Attorney, Electronic Frontier Foundation

WHAT: “Video Laptop Surveillance: Does Title III Need to Be Updated?” U.S. Senate Judiciary Committee, Subcommittee on Crime and Drugs

WHEN: 10 a.m. Monday, March 29

WHERE: U.S. District Court for the Eastern District of Pennsylvania Courtroom 3B 601 Market Street Philadelphia, PA 19106

For more on the hearing: http://judiciary.senate.gov/hearings/hearing.cfm?id=4492


(Related articles:

http://www.networkworld.com/news/2010/032210-high-school-webcam-follies-part.html

High school Webcam follies, part II: Dumb and dumber

… The two IT admins who had the ability to turn on the cams are on administrative leave pending the outcome of the district investigation (standard operating procedure, says the school district). One of these techs, Mike Perbix (whose voice can be heard in this video bubbling with excitement over the LANrev tracking technology) is cooperating with the investigation. So is the vice principal, Lindy Matsko. However, the other tech, Carol Cafiero, has refused to give a deposition in the case.

According to a report in the Philadelphia Daily News:

....her attorney, Charles Mandracchia, filed a motion yesterday to block her deposition, saying that it was "premature" and "unnecessary."

Mandracchia said that his client does not have access to pertinent documents. He expressed concern that Robbins' attorney, Mark Haltzman, would "ambush her" in a deposition.

… The Inquirer's Joe Tanfani has a great story detailing the history of the case, from the decision to adopt the tracking software (while forgetting to tell anyone about it) to what really happened in the Robbins case. From his account, it sounds like an accumulation of largely well-intentioned-but-brain-dead mistakes. It's worth a read.

[From the Inquirer's story:

In a new twist, sources say administrators decided to talk to Blake Robbins in part because they were worried about a threatening text message to the sophomore captured in their surveillance software.

[Are they now saying they also monitor student text messaging? Bob]



Perhaps China's insistence that companies “do it our way” is just a bit too much?

http://hardware.slashdot.org/story/10/03/25/2054238/Dell-To-Leave-China-For-India?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Dell To Leave China For India

Posted by timothy on Thursday March 25, @05:00PM

halfEvilTech writes

"India's Prime Minister, Manmohan Singh, told the Indian press that Dell chairman Michael Dell assured him that Dell was moving $25 billion in factories from China to India. Original motives were cited for environmental concerns. But later details come up as to dell wanting a 'safer environment conductive to enterprise.'"



Useful teacher stuff...

http://www.makeuseof.com/tag/screenpresso-lightweight-jing-alternative-advanced-capturing-annotating-options-windows/

Screenpresso – A Lightweight Jing Alternative With Advanced Options (Windows Only)

… We have discussed convenient Firefox extensions for screen capturing, as well as desktop programs that facilitate instant uploading to media sharing sites, capturing entire webpages without having to scroll, or just make the Print Screen button archaic.

Jing is a popular choice in the sea of screen-capturing tools, but its image editing tools include only a handful of very basic features.

… In my search for a good alternative to jing that saved me from the latter’s missing features, I basically assaulted about ten free screen-capturing tools inside out, but only Screenpresso came out trumping all others.

… The current lack of video capturing in Screenpresso doesn’t really bother me as I prefer to use the web-based Screencast-O-Matic (review, website) tool that records your screen in unbelievably good quality and requires no signing-up.



For my Statistics students. Also note how closely the cost of a toasted cheese sandwich matches Al Gore's graph of Global Warming.

http://timetric.com/



Or you could just stalk someone else?

http://www.killerstartups.com/Mobile/itag-com-stop-worrying-about-losing-your-smartphone

iTag.com - Stop Worrying About Losing Your Smartphone

http://www.itag.com/login.htm

There are few things that a true geek could fear more than losing his smartphone. And the truth is that no matter how diligent one is, disaster always strikes sooner or late. And in 9 out of 10 times, it strikes at the worst time you could ever imagine.

The services rendered by this company give everybody the peace of mind of knowing that if his smartphone becomes lost along the way he will be able to locate it easily. Although only Android phones are supported right now, this is meant to change before long

… This is done by installing an application that will pinpoint the location of the mobile by way of its provided GPS. The information can be accessed though the company’s website, and this service on the whole is provided for free.

However, note that a paid incarnation of iTag does exist, and that it will let you perform advanced operations such as deleting the whole memory of the phone by merely clicking a button, and also make it ring in order to find it even quicker.



Well, it's about time!

http://cellphones.org/blog/cell-phone-etiquette/

Cell Phone Etiquette

Posted by: admin on March 25th, 2010 at 1:27am

[I will also show my students these videos:

http://www.youtube.com/watch?v=GPbMpadn9ZA

http://www.youtube.com/watch?v=S1wxx5PPrA4

Thursday, March 25, 2010

This is an interesting question. How much is to repair actual damage cause and how much is to implement the security that should have been there in the first place?

http://www.databreaches.net/?p=10819

Recommended: Gonzalez Lawyers, Judges Debate Data Breach Costs

March 25, 2010 by admin

Evan Schuman writes:

When two Boston-based federal judges sentence Albert Gonzalez Thursday (March 25) and Friday (March 26) for a rash of retail cyber-break-ins that he confessed to orchestrating, the exact sentence may be academic. The key legal argument is shaping up to be this question: “When a retailer is breached, what’s the most reasonable way to determine loss?” The answer is proving to be as baffling—or contradictory–to the federal jurists as it is for most retail CIOs.

[...]

The law says the court should define “loss” as “the greatest of actual loss or intended loss.” The government cited a recent appellate court decision as offering yet a third metric: “The First Circuit has held that, in the case of stolen credit cards, intended loss reasonably may be found to be the stolen payment cards’ aggregate credit limit, since it is natural and probable to expect that purchasers of the stolen card numbers will charge as much as possible to them. It is also reasonable to hold a defendant accountable for the amount of loss as measured by the aggregate credit limit, even though the defendant’s personal profit has been dramatically less.”

Defense counselor Martin Weinberg disagreed. He pointed out that “the government’s discussion omits the fact that tens of millions of the accounts had expired and would therefore no longer have had credit limits at all.” He added that “the $500 per access device equation from which this figure is derived is completely arbitrary and lacking in any empirical validation” and that it was “irrational.”

Read more on StorefrontBacktalk.

Not for nothing, but the court documents in the Gonzalez use figures for the TJX breach that do not match what media and web sites such as this one have reported in terms of number of account numbers or records stolen. For example, Weinberg refers to the the TJX breach as capturing 36 million card numbers, not 45 million or 94 million (as the banks had claimed in their lawsuit).



Another high school in the Philadelphia area. What are they teaching these kids?

http://www.databreaches.net/?p=10817

Haddonfield students arrested in computer hacking

March 25, 2010 by admin

Another hack-to-change-grades scheme?

Several Haddonfield Memorial High School students are under police investigation on accusations they hacked into the school’s computer system.

The breach was discovered in the last few days, and the students, whom school district officials declined to identify, have been turned over to local police [That is what the article says, but I suspect that only Names” were turned over to police, unless the school has arrest powers? Bob]and the Camden County Prosecutor’s Office.

At a regularly scheduled meeting with parents to discuss end-of-year activities, principal Michael Wilson said the FBI might get involved in the investigation.

The students used a keystroke-logging program installed on computers at the high school to capture the user names and passwords of anyone using one of the rigged computers.

With that data, they gained access to an internal information system on which the school posts grades, class schedules, attendance, even the status of homework assignments for students and their parents to view.

In an e-mail to students and parents, Wilson said the students had gained access to about 200 of the nearly 2,000 accounts that have access to the computer system at the high school.

Read more on Philly.com

[From the article:

We are confident we have identified the students and built in the appropriate controls to restrict their activity and that of anyone else who may foster a similar plan." [If they were using the Principal's Logon ID, how did they identify the students? Didn't the reporter ask? Bob]



So is a Twitter Hacker a Twacker? How do you say that in French? Monsieur le Twackeur?

http://www.pogowasright.org/?p=8534

Cops: Notorious Twitter hacker caught, released

March 24, 2010 by Dissent

Caroline McCarthy reports:

Twitter’s equivalent of an elusive masked bandit was caught in France this week, according to an Agence France-Presse story citing police sources, after the FBI began working with authorities there. A 25-year-old who goes by the name “Hacker Croll,” believed to be responsible for two high-profile Twitter hacking incidents in which both celebrity accounts and internal servers were breached, was reportedly in police custody in the French city of Clermont-Ferrand before being released later on Wednesday.

The hacker was allegedly behind an attack about a year ago in which the Twitter accounts of celebrities ranging from Britney Spears to President Obama were breached; he gained access to a Twitter administrator’s password by hacking that administrator’s Yahoo Mail account first…… It’s also likely that the hacker arrested in France was responsible for an internal Twitter security breach that gave him access to hundreds of sensitive company documents–which he then turned over to industry blog TechCrunch.

Read more on CNET.



No wonder computers get stolen!

http://www.databreaches.net/?p=10774

American Traffic Solutions leaves building open

March 24, 2010 by admin

What may be a corporate security breach at American Traffic Solutions was uncovered by CameraFRAUD volunteers Saturday night. The photo radar ticket processing facility, located in the Phoenix suburb of Ahwatukee, was reportedly left unlocked and unattended:

Numerous bundles of network cables were spotted throughout the building, potentially allowing anyone with a laptop to access internal systems containing vital “chain of evidence” data. A dozen trashcans full of unshredded documents were spotted, possibly containing sensitive data on their “customers:” so-called “violators” who are accused of triggering the automated ticketing machines.

Read more on CameraFraud.

American Traffic Solutions has not responded to a request by this site to clarify whether any personal data were exposed or left vulnerable by the incident. A number of commenters on the original article debate CameraFRAUD volunteers’ conduct.

Thanks to ITRC for making me aware of this incident.



Another clear indication that “Secure” doesn't really mean “Secure”

http://www.wired.com/threatlevel/2010/03/packet-forensics/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Law Enforcement Appliance Subverts SSL

By Ryan Singel March 24, 2010 1:55 pm

… At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.


(Related)

http://blogs.zdnet.com/security/?p=5865

Pwn2Own hack topples Firefox on Windows

… And, for the second year in a row, a German hacker known simply as “Nils” exploited a previously unknown vulnerability in Mozilla Firefox to take complete control of a 64-bit Windows 7 machine.



Don't say we didn't warn you.

http://www.bespacific.com/mt/archives/023834.html

March 24, 2010

New GAO Reports: Information Security, Joint Strike Fighter, Veterans' Disability Benefits, Recovery Act

  • Information Security: Concerted Response Needed to Resolve Persistent Weaknesses, GAO-10-536T, March 24, 2010: "Without proper safeguards, federal computer systems are vulnerable to intrusions by individuals who have malicious intentions and can obtain sensitive information. The need for a vigilant approach to information security has been demonstrated by the pervasive and sustained cyber attacks against the United States; these attacks continue to pose a potentially devastating impact to systems as well as the operations and critical infrastructures that they support."

  • Joint Strike Fighter: Significant Challenges and Decisions Ahead, GAO-10-478T, March 24, 2010

  • Veterans' Disability Benefits: VA Has Improved Its Programs for Measuring Accuracy and Consistency, but Challenges Remain, GAO-10-530T, March 24, 2010

  • Recovery Act: Officials' Views Vary on Impacts of Davis-Bacon Act Prevailing Wage Provision, GAO-10-421, February 24, 2010



Another tool, but how to use it?

http://www.pogowasright.org/?p=8530

Google Alerts Gmail Users to Suspicious Logins

March 24, 2010 by Dissent

Riva Richmond reports:

Google has introduced a new security feature that alerts Gmail users whose e-mail accounts may have been broken into by a malicious intruder and helps them regain full control.

In a blog post Wednesday, Google said that if it sees unusual account activity, such as an uncharacteristic login from a computer with a suspicious I.P. address in Poland, it will show a warning in a red bar at the top of the page. Users will be able to click to get more information, or hit “Ignore” if they were, indeed, in Poland and nothing is wrong. [Or if you are the crook in Poland? Bob]

Users who click for more details will see a list of their recent account activity, including the numerical I.P. addresses of computers that have accessed the account and the number of devices logged in at the same time –- for instance, you at home in New York and a mysterious someone in Nigeria. A warning in a red bar asks users to change their password immediately if they see activity that was not theirs.

Read more in the New York Times Gadgetwise blog.



Imagine how much easier this will be when all our Health Records are online!

http://www.phiprivacy.net/?p=2289

Your health, tax, and search data siphoned

By Dissent, March 25, 2010 9:19 am

Dan Goodin reports:

Google, Yahoo, Microsoft’s Bing, and other leading websites are leaking medical histories, family income, search queries, and massive amounts of other sensitive data that can be intercepted even when encrypted, computer scientists revealed in a new research paper.

Researchers from Indiana University and Microsoft itself were able to infer the sensitive data by analyzing the distinct size and other attributes of each exchange between a user and the website she was interacting with. Using man-in-the-middle attacks, they could glean the information even when transactions were encrypted using the Secure Sockets Layer, or SSL, protocol or the WPA, or Wi-fi Protected Access protocol.

[...]

An eavesdropper can infer the medications/surgeries/illnesses of the user, her annual family income and investment choices and money allocations, even though the web traffic is protected by HTTPS. We also show that even in a corporate building that deploys the up-to-date WPA/WPA2 wi-fi encryptions, a stranger without any credential can sit outside the building to glean the query words entered into employees’ laptops, as if they were exposed in plain text in the air.”

Read more in The Register.

A PDF of the paper is here. Princeton University computer science professor and Freedom to Tinker blogger Ed Felton has additional analysis here.



You might call it convergence. Google will have a wired or wireless connection to every home, school, office and car. Why shouldn't they make a sales pitch that starts” “As long as we're here...”

http://hardware.slashdot.org/story/10/03/25/0318219/Google-Wants-To-Be-Your-Electricity-Meter?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Google Wants To Be Your Electricity Meter

Posted by samzenpus on Thursday March 25, @07:57AM

An anonymous reader writes

"Google has teamed up with a microcontroller maker Microchip to develop an API for a piece of software called Google PowerMeter, according this EE Times story. Why? Because Google wants to host all the details of the electricity and other energy consumption of people's homes. It wants to do this so that it can show people on their iGoogle homepages when and where they are consuming energy so that they can start to reduce their power consumption. The good news is that it is an opt-in service and free so you don't have to make Google your energy-monitor if you dont't want to do so."



Convergence of a different kind?

http://news.cnet.com/8301-17852_3-10470474-71.html?part=rss&subj=news&tag=2547-1_3-0-20

Is Facebook to blame for U.K. rise in syphilis?



Normally not a big fan of slide shows, but I did learn a new word!

http://www.pogowasright.org/?p=8538

Couvakian on Facebook privacy

March 25, 2010 by Dissent

Anne Cavoukian, the Information and Privacy Commissioner of Ontario, spoke at the Facebook Speaker Series in Palo Alto, California on Tuesday. The title of her talk was “Privacy …It’s All About Freedom: Maximizing Control, Maintaining Freedom of Choice.” The overheads from her talk are available online, here (pdf).

[From the slides:

pee-mail – (noun) a text message or email sent from your workplace bathroom because policy dictates you may not do so on company time.

[I also found this slide interesting:

The Default Rules:

80% of the time, whatever option is presented as the default, that will be the condition that prevails



Does this law “Get it right?” Is this the direction we want to move?

http://www.databreaches.net/?p=10831

Addition to Washington Breach Law Imposes Retailer Liability in Payment Card Breaches

March 25, 2010 by admin

Under a Washington law effective July 1, 2010, certain entities involved in payment card transactions may be liable to financial institutions for costs associated with reissuing payment cards after security breaches. Designed to encourage the reissuance of payment cards as a means of mitigating harm caused by security breaches, Washington H.B. 1149 applies to three types of entities: businesses, processors and vendors. Under the law, a business is an entity that “processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to . . . residents of Washington.” A processor is any entity, other than a business, that “directly processes or transmits [payment card] account information for or on behalf of another person as part of a payment processing service.” A vendor is any “entity that manufactures and sells software or equipment that is designed to process, transmit, or store [payment card] account information or that maintains account information that it does not own.”

Read more on Hunton & Williams LLP



Perhaps if there was a “Commissariat for Verifying Citizen IDs” this wouldn't be an issue?

http://tech.slashdot.org/story/10/03/24/198243/GoDaddy-Follows-Googles-Lead-No-More-Registrations-In-China?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

GoDaddy Follows Google's Lead; No More Registrations In China

Posted by timothy on Wednesday March 24, @03:48PM

phantomfive writes

"GoDaddy has announced it will no longer register domain names in China, in response to new requirements that each registrant be photographed, and their business ID number be submitted. GoDaddy's representative said, 'The intent of the procedures appeared, to us, to be based on a desire by the Chinese authorities to exercise increased control over the subject matter of domain name registrations by Chinese nationals.'"



My Security students argued that this would never happen. Welcome to the economic realities of the real world.

http://tech.slashdot.org/story/10/03/24/2052223/Who-Should-Own-Your-Smartphone?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Who Should Own Your Smartphone?

Posted by timothy on Wednesday March 24, @05:13PM

snydeq writes

"The great corporate barrier against employees using personal smartphones in business contexts has been breached, writes InfoWorld's Galen Gruman. According to a recent report from Forrester Research, half of the smartphones in use among US and Canadian businesses are not company-issued equipment. In fact, some organizations are even subsidizing employees' service plans as an easy way to avoid the procurement and management headaches of an increasingly standard piece of work equipment. Gruman discusses the pros and cons of going with a subsidized, employee-owned smartphone plan, which is part of a larger trend that sees IT loosening its grip on 'dual-use' devices, including laptops and PCs."



So maybe this “leak” was intentional? This is far from “Best Practices”

http://www.databreaches.net/?p=10808

An ACTA of insecurity

March 24, 2010 by admin

By now, the leaked copy of the January 18, 2010 draft of ACTA is all over the web. What I don’t understand is the notice on the cover:

This document must be protected from unauthorized disclosure, but may be mailed or transmitted over unclassified e-mail or fax, discussed over unsecured phone lines, and stored on unclassified computer systems. It must be stored in a locked or secured building, room, or cabinet.

In other words, they weren’t serious about protecting it from unauthorized disclosure.



This is interesting. Now I can redesign my Excel “Budget Project” with some real world numbers!

http://www.bespacific.com/mt/archives/023838.html

March 24, 2010

2010 Bundle Report: How America Spends

"...the first-ever Bundle Report, a breakdown of how America spent for all of 2009. The numbers...show how much the average American household spent last year: $37,782, not counting mortgage or rent (which are not included in the Bundle data). Divided into six categories, that's 23 percent of their daily budget spent on shopping, 14.5 percent on getting around (gas and auto expenses), 17.5 percent on food and drink, 7 percent on travel and leisure, 17 percent on house- and home-related expenses, and 21 percent on health and family..."



For my website students

http://www.makeuseof.com/tag/3-free-tools-video-website/

3 Ways To Add Cool Video Features To Your Website



For my “better” students

http://www.makeuseof.com/dir/certificatestreet-free-printable-award-certificates

CertificateStreet: Get Free Printable Award Certificates

www.certificatestreet.com



For my Capstone students

http://www.makeuseof.com/tag/zim-desktop-wiki-life-universe/

Zim: An Easy To Use Desktop Wiki For Your Life & Everything

by Justin Pot on Mar. 24th, 2010

… The Zim wiki is an open-source program available for Linux and Windows, and it’s a great way to build a simple desktop wiki. Best of all, it’s named after the single greatest cartoon character in history.

… Installing the Zim wiki is easy. If you’re a Linux user, the program is most likely in your repositories already, so check out your package manager and find the package called “Zim.” Alternatively, you can find links to packages here.

Windows users can find a link to an installer here. Simply run the executable and you’ll install Zim wiki in one easy step.

Wednesday, March 24, 2010

Couldn't we at least fine them as much as they made in the deal? This sends the wrong message to my Hacking 101 students.

http://www.wired.com/threatlevel/2010/03/jethro-sentencing/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Gonzalez Accomplice Gets Probation for Selling Browser Exploit

By Kim Zetter March 23, 2010 11:50 am

A computer security professional who sold Internet Explorer exploit code to credit card hacker Albert Gonzalez was sentenced Tuesday in Boston to three years probation and a $10,000 fine.

Jeremy Jethro, 29, was paid $60,000 by Gonzalez for a zero-day exploit against Microsoft’s browser, “the purpose and function of which was to … enable the conspirators to unlawfully gain access to, and redirect, individual’s computers,” according to court records.



In 1984 (the book, not the year) Big Brother provided everyone with televisions that could look at you as you looked at them. Isn't this the same thing? (and should I tell my students?)

http://hardware.slashdot.org/story/10/03/23/1740241/Does-This-Headline-Know-Youre-Reading-It?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Does This Headline Know You're Reading It?

Posted by CmdrTaco on Tuesday March 23, @03:15PM

An anonymous reader writes

"Not yet, but it could. German artificial intelligence researchers are combining JavaScript with eye-tracking hardware to create 'text 2.0,' which 'infers user intentions.' Unimportant words also fade out while you're skimming the text, and a bookmark automatically appears if you glance away. It can pronounce the words you're reading, and reading certain words can trigger the appearance of footnotes or even translations, biographies, definitions, and sound effects or animations, almost like the truly interactive books in Neal Stephenson's The Diamond Age. 'With the help of an eye tracker, Text 2.0 follows your progress and presents effects just in time,' the researchers explain in a video. Meanwhile, DFKI has already created a free 'Processing Easy Eye Tracker plugin' (or PEEP) to manipulate windows with what they call 'gaze-controlled tab expose,' while there's speculation similar technology may be adopted by Apple. Apple has already purchased Tobii's eye-tracking hardware, and 'Whether these are for internal research only or for a future product, Apple is characteristically not saying.'"



An interesting new threat measure.

http://www.bespacific.com/mt/archives/023830.html

March 23, 2010

Cisco 2009 Annual Security Report

Cisco 2009 Annual Security Report Highlighting global security threats and trends: "The Cisco® Annual Security Report provides an overview of the combined security intelligence of the entire Cisco organization. The report encompasses threat information and trends collected between January and December 2009. It also provides a snapshot of the state of security for that period, with special attention paid to key security trends expected for 2010."



“We don't want no stinking Health Plan” Phase II I want to read it, but I only have a week left on Spring Break...

http://www.bespacific.com/mt/archives/023828.html

March 23, 2010

13 States File Complaint Against "New Universal Healthcare Regime" - VA AG Goes It Alone

23 page complaint filed today in the Northern District of Florida - Nature of Action:

  1. "On March 23, 2010, a new universal healthcare regime, titled the “Patient Protection and Affordable Care Act,” H.R. 3590 (the Act), was signed into law by the President. The Act, which exceeds 2,400 pages, is available at http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f: h3590pp.txt.pdf (accessed March 23, 2010).

  2. The Act represents an unprecedented encroachment on the liberty of individuals living in the Plaintiffs’ respective states, by mandating that all citizens and legal residents of the United States have qualifying healthcare coverage or pay a tax penalty. The Constitution nowhere authorizes the United States to mandate, either directly or under threat of penalty, that all citizens and legal residents have qualifying healthcare coverage. By imposing such a mandate, the Act exceeds the powers of the United States under Article I of the Constitution and violates the Tenth Amendment to the Constitution.

  3. VA AG filed complaint in U.S. District Court, ED VA.



Completely unrelated to the new law. Probably.

http://www.phiprivacy.net/?p=2280

Should Doctors Google Their Patients?

By Dissent, March 23, 2010 7:20 pm

Jennifer Valentino-DeVries reports:

By now, it’s well known that almost anyone you meet — from a potential employer to a prospective date — might be searching for information about you online. But would you feel strange knowing that your doctor was Googling you?

The practice appears to be widespread, according to an essay in the latest edition of the Harvard Review of Psychiatry, and it raises some thorny ethical questions for doctors, particularly those dealing with mental health.

Read more on the Wall Street Journal Digits blog.

[They introduce a new 'medical' term, “patient-targeted Googling” I like it! Bob]



Also completely unrelated. Possibly.

http://www.phiprivacy.net/?p=2276

Surgeon Posted Nude Photos, Woman Says

By Dissent, March 23, 2010 7:21 pm

Srin McAuley reports:

A woman claims her plastic surgeon posted nude photos of her on Facebook without her consent. She claims Dr. Dennis Hurwitz and the Hurwitz Center for Plastic Surgery posted Before and After photos of her from her neck to her knees, along with her name, allowing anyone who looked at the photos “to be able to immediately ascertain [her] identity.”

The woman says she did not give Dr. Hurwitz or his surgery center permission to post the photos, and that they “were obligated to implement adequate practices and security measures to prevent their unauthorized distribution.”

[...]

She says the photos were also posted onto Windows Live SkyDrive, a publicly accessible online file storage and sharing application. And she says SkyDrive has nude photos of 13 other women posted with her, in a folder attributed to Kate Jones. The photos “all appear to be taken at the Hurwitz Center,” according to the complaint.

Read more on Courthouse News, keeping in mind that a lawsuit is just one side’s allegations that have as yet to see the light of a courtroom and have not been proven. A copy of the lawsuit can be found here.

Dr. Hurwitz’s office did not respond to a request for a response to the lawsuit by the time of this publication.



...meanwhile, in the rest of the world... Would they require the signature of a newborn infant if Mom posts pictures?

http://www.pogowasright.org/?p=8519

Facebook, Google’s game of online tag draws scrutiny of European privacy watchdogs

March 24, 2010 by Dissent

Frank Jordans of the Associated Press reports:

You have been tagged in 12 photos. Even if you’re not signed up to the Web site.

European regulators are investigating whether the practice of posting photos, videos and other information about people on sites such as Facebook without their consent is a breach of privacy laws.

The Swiss and German probes go to the heart of a debate that has gained momentum in Europe amid high-profile privacy cases: To what extent are social networking platforms responsible for the content their members upload?

[...]

Swiss and German data protection commissioners are demanding that Facebook explain its practice of allowing users to upload e-mail addresses, photographs and other personal details about people who haven’t signed up to the site.

Read more in the Chicago Tribune.



Isn't a strong response obligatory in Chinese culture?

http://yro.slashdot.org/story/10/03/23/209200/China-Hits-Back-At-Google?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

China Hits Back At Google

Posted by CmdrTaco on Tuesday March 23, @05:57PM

sopssa writes

"After Google yesterday started redirecting google.cn users to their uncensored Hong Kong-tbased google.com.hk servers, the Chinese government has now hit back at Google by restricting access to Google's Hong Kong servers. 'On Tuesday mainland China users could not see uncensored Hong Kong-based content after the government either disabled certain searches or blocked links to results.' China Mobile, the largest wireless carrier in the country, has also been approached by the Chinese government to cancel a contract with Google about having google.cn on their mobile home page for search. China Unicom, the second largest carrier in China, has also either postponed or killed the launch of Android-based mobile phones in the country."


(Related) Jonathan connects the cyber attack on Google with their decision to pull out.

http://techcrunch.com/2010/03/24/zittrain-google-stands-alone/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Zittrain: Google Stands Alone

by Evelyn Rusli on Mar 24, 2010

Don’t expect an army of web companies to rush to Google’s defense in China v. Google. The lines are drawn but Google will stand alone, according to internet law expert and Harvard Professor Jonathan Zittrain.



One card to rule them all. The National Drivers License card and the National ID card...

Two! Two cards to rule them all. The Drivers License, the ID and your Health Card...

Three! Three cards..

http://yro.slashdot.org/story/10/03/23/2223220/US-Lawmakers-Eyeing-National-ID-Card?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

US Lawmakers Eyeing National ID Card

Posted by timothy on Tuesday March 23, @06:40PM

According to Wired (and no big surprise, considering the practicalities of implementing massive changes in medical finance), US lawmakers "are proposing a national identification card, a 'fraud-proof' Social Security card required for lawful employment in the United States. The proposal comes as the Department of Homeland Security is moving toward nationalizing driver licenses."

[Would the Government be willing to guarantee the card as fraud-proof? I didn't think so. Bob]

[From the Wired article:

Homeland Security officials pointed to the Sept. 11 hijackers’ ability to get driver’s licenses in Virginia using false information as justification for the proposed $24 billion Real ID program. Schumer and Graham point to illegal immigration as cause for their plan.

[...because Foreign Nationals would be born with US ID cards and people would sneak across the boarder carrying them... Problems Solved! Bob]



Would this mandate a crime fighting plan for the US? Would we believe a country that said “They only used a hacked server here, they came from Cleveland.”

http://it.slashdot.org/story/10/03/24/0118228/New-Legislation-Would-Crack-Down-On-Online-Criminal-Havens?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

New Legislation Would Crack Down On Online Criminal Havens

Posted by timothy on Tuesday March 23, @11:43PM

Hugh Pickens writes

"The Hill reports that Senators Orrin Hatch (R-Utah) and Kirsten Gillibrand (D-NY) have introduced a bill that would penalize foreign countries that fail to crack down on cyber criminals operating within their borders. Under the bill the White House would have the responsibility of identifying countries that pose cyber threats and the president would have to present to Congress in an annual report. Countries identified as 'hacker havens' would then have to develop plans of action to combat cybercrimes or risk cuts to their US export dollars, foreign-direct investment funds and trade assistance grants. Numerous American employers, including Cisco, HP, Microsoft, Symantec, PayPal, eBay, McAfee, American Express, Mastercard and Visa, as well as Facebook, are supporting the Senators' legislation."



Actually, they did not they allow personal use of their equipment. And they said they were monitoring use. (These were Police Officers after all.) What about those on the other side of the communication?

http://www.pogowasright.org/?p=8514

Privacy groups urge Supreme Court to protect text message privacy

March 23, 2010 by Dissent

The Electronic Frontier Foundation (EFF) urged the United States Supreme Court today to ensure that modern communications methods such as text messages retain the constitutional privacy protections applied to earlier technologies.

In an amicus brief in City of Ontario v. Quon, EFF sided with a public employee who was allowed personal use of his work pager but then discovered that his employer had secretly obtained his communication records from his wireless provider. The U.S. Court of Appeals for the 9th Circuit ruled that the city violated the Fourth Amendment, and the Supreme Court granted the city’s request to review that ruling.

“The Constitution fully safeguards the privacy of electronic communications sent over employer-provided equipment,” said EFF Civil Liberties Director Jennifer Granick. “Text messages, like phone calls or letters, are protected from warrantless law enforcement surveillance, even if sent from the workplace or through an utside service provider.”

This case comes to the Supreme Court as Americans are adopting smart phones in record numbers, making texting and on-the-fly emailing a part of everyday life for millions of people. Most employers allow and encourage some use of workplace equipment for personal communications, instead of forcing employees to carry around multiple devices. In its amicus brief, EFF urged the court not to disturb longstanding Fourth Amendment protections against warrantless law enforcement access to these electronic communications.

“The privacy questions in this case turn on the application of settled legal principles in new technological contexts,” said Andrew Pincus of Mayer Brown LLP and the Yale Supreme Court Clinic, who worked with EFF on the amicus brief. “The court should proceed cautiously, in order to preserve constitutional protections for Americans’ most private communications.” “People are moving away from postal mail and landline phones to electronic and mobile communications, both at home and at the workplace,” added EFF’s Granick. “We should not be forced to leave our privacy behind.”

EFF was joined on this brief by the America Civil Liberties Union (ACLU), the Center for Democracy and Technology (CDT), and Public Citizen.

For the full amicus brief: http://www.eff.org/files/filenode/ontario_v_quon/EFFamicus.pdf

For more on this case: http://www.eff.org/cases/city-ontario-v-quon

For this release: http://www.eff.org/press/archives/2010/03/23

[Many more documents at the EFF site. Bob]



For my Statistics class. Interesting comparison of Votes and Campaign Contributions. (You can do similar analysis and graphics at this site.)

http://www.tableausoftware.com/healthcare-bill-passed#

Healthcare bill will most benefit those who did not vote for it



Is this a Copyright violation?

http://yro.slashdot.org/story/10/03/24/1214239/Full-ACTA-Leak-Online?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Full ACTA Leak Online

Posted by CmdrTaco on Wednesday March 24, @08:53AM

An anonymous reader writes

"Following months of small Anti-Counterfeiting Trade Agreement leaks, the full consolidated ACTA text has now been posted online. The consolidated text provides a clear indication of how the negotiations have altered earlier proposals (see this post for links to the early leaks) as well as the first look at several other ACTA elements. For example, last spring it was revealed that several countries had proposed including a de minimus provision to counter fears that the border measures chapter would lead to iPod searching border guards. The leak shows there are four proposals on the table."



Tools & Techniques Firewall Bypass Techniques

http://it.slashdot.org/story/10/03/23/239225/How-To-Evade-URL-Filters-With-Not-So-Fancy-Math?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

How To Evade URL Filters With (Not-So) Fancy Math

Posted by timothy on Tuesday March 23, @07:22PM

Trailrunner7 writes

"In their constant quest to find new and interesting ways to abuse the Internet, attackers recently have begun using an old technique to obfuscate URLs and IP addresses to bypass URL filters and direct users to malicious sites. The technique takes advantage of the fact that modern browsers will allow users to specify IP addresses in formats other than base 10. So a typical IP address that looks something like this — 192.10.10.1 — can also be written in base 8, hexadecimal or a handful of other formats, and the browser will recognize it and take the user to the specified site. What is interesting though is that due to the relative obscurity of using such methods to denote an IP or URL, it is quite feasible that existing security products do not correctly identify the URLs as valid or flag them as malicious when they point to existing known bad websites."



Tools & Techniques: If not for stalking, at least some minor blackmail...

http://www.makeuseof.com/dir/friends-check-browser-history

HaveYourFriendsBeenThere: Remotely check any browser history for naughty sites

Do you want to know which of your friends have been looking at naughty websites? Or perhaps you want to know who among your coworkers have been visiting NSFW websites while at work? Then you should check out HaveYourFriendsBeenThere? It is a web tool that enables you remotely snoop into someones browser history and check for naughty websites.

To find out if someone has been visiting naughty sites, just copy the link generated by HYFBT, send the link to your friend and wait for the results. Once your friend opens the link, the site will immediately look into your friend’s browser and will send you a list of the adult sites he has opened. This tool also shows the results to your friends as well.

www.haveyourfriendsbeenthere.com



For my website and other programming students...

http://www.makeuseof.com/tag/top-3-browser-based-ides-code-cloud-2/

The Top 3 Browser-Based IDE’s To Code In The Cloud

by Simon Slangen on Mar. 23rd, 2010

For those that aren’t in the know, the browser based “IDE” is an abbreviation of Integrated Development Environment. Very simply said, it’s an application that can be used to write code, but usually with added compiler/interpreter, debugging and automation features.

Finding a decent freeware code writing application (view previous code-editor compilations for Windows or Mac), never mind an IDE, can prove difficult. Some operating systems have it harder than others, and if you use more than one, or are on the move a lot, coding can be a bastard.

Bespin from Mozilla Labs

Coderun Studio

Kodingen



Not sure I want my students covering useful sites with 'sticky notes' but it might prove useful for group projects (or games like Treasure Hunt)

http://www.makeuseof.com/dir/stickr-leave-notes-on-web-pages

Stickr: Leave Notes On Web Pages

www.stickr.com

Similar tool: MyStickies.