Saturday, April 10, 2010

This does not bode well.

HIMSS: More hospital security breaches in 2010, but greater awareness

By Dissent, April 10, 2010 6:02 am

The number of healthcare facilities that reported a breach in security that requires notification increased 6 percent from 13 percent in 2008 to 19 percent in 2010, according to the 2010 HIMSS Analytics report on the security of patient data, commissioned by Kroll Fraud Solutions.

“The positive impact…is that there is a growing level of awareness around the state of patient data security in the U.S. healthcare industry related to the increased regulation and the policies put in place to comply with those rules,” the authors wrote. However, the report warned there is concern that the security practices in place continue to overemphasize “checklist” mentality for compliance without implementing more sustainable changes.

Among the respondents who reported a breach out of the 250 respondents that participated in the research, nearly three-quarters reported their organization had one (43 percent) or two (28 percent) breaches in the past 12 months. Another 15 percent reported 10 or more breaches during this time, according to the report. The remaining 15 percent had three to nine breaches during the time.

Read more on CMIO.

[From the article:

There continues to be a lack of awareness of the “extremely high costs” associated with a healthcare breach, the report found. Only 15 percent were concerned about a financial impact of a breach, down from 18 percent in 2008. ... Full enforcement of HITECH [Act]--including sanctions--which took effect Feb. 22, will make the costs associated with a breach even more burdensome,” the report stated.

Last State Without a Breach Notice Law? Not Mississippi

April 9, 2010 by admin

Tanya Forsheit reports:

Yesterday, Mississippi Governor Haley Barbour approved Mississippi’s first breach notification law, House Bill 583, leaving only four states without a notification law (Alabama, Kentucky, New Mexico, and South Dakota).

Read more on InformationLawGroup.

The law goes into effect July 1, 2011.

“Never ascribe to malice that which can adequately be explained by incompetence” Napoleon Bonaparte(?) “Never assume incompetence that which is a test of a cyber war tactic.” Bob

Chinese ISP Hijacks the Internet (Again)

Posted by Soulskill on Friday April 09, @04:39PM

CWmike writes

"For the second time in two weeks, bad networking information spreading from China has disrupted the Internet. On Thursday morning, bad routing data from a small Chinese ISP called IDC China Telecommunication was re-transmitted by China's state-owned China Telecommunications, and then spread around the Internet, affecting Internet service providers such as AT&T, Level3, Deutsche Telekom, Qwest Communications, and Telefonica. 'There are a large number of ISPs who accepted these routes all over the world,' said Martin A. Brown, technical lead at Internet monitoring firm Renesys. Brown said the incident started just before 10 am Eastern and lasted about 20 minutes. During that time the Chinese ISP transmitted bad routing information for between 32,000 and 37,000 networks, redirecting them to IDC instead of their rightful owners. These networks included about 8,000 US networks, including those operated by Dell, CNN, Starbucks, and Apple. More than 8,500 Chinese networks, 1,100 in Australia, and 230 owned by France Telecom were also affected."

[From the article:

The bad routes may have simply caused all Internet traffic to these networks to not get through, or they could have been used to redirect traffic to malicious computers in China.

While the incident appears to have been an accident, it underscores the weakness of the Border Gateway Protocol (BGP), a critical, but obscure, protocol used to bind the Internet together.

… For some reason, IDC China Telecommunication announced routes for tens of thousands of networks -- about 10% of the Internet. Typically this small ISP announces about 30 routes.

“...because we need to know what a bear does in the woods.”

US Forest Service admits putting surveillance cameras on public lands

April 9, 2010 by Dissent alerts us to this report by Tony Bartelme:

Last month, Herman Jacob took his daughter and her friend camping in the Francis Marion National Forest. While poking around for some firewood, Jacob noticed a wire. He pulled on it and followed it to a video camera and antenna.

The camera didn’t have any markings identifying its owner, so Jacob took it home and called law enforcement agencies to find out if it was theirs, all the while wondering why someone would station a video camera in an isolated clearing in the woods.

He eventually received a call from Mark Heitzman of the U.S. Forest Service.

In a stiff voice, Heitzman ordered Jacob to turn it back over to his agency, explaining that it had been set up to monitor “illicit activities.” Jacob returned the camera but felt uneasy.

Why, he wondered, would the Forest Service have secret cameras in a relatively remote camping area? What do they do with photos of bystanders?

How many hidden cameras are they using, and for what purposes? Is this surveillance in the forest an effective law enforcement tool? And what are our expectations of privacy when we camp on public land?

Officials with the Forest Service were hardly forthcoming with answers to these and other questions about their surveillance cameras. When contacted about the incident, Heitzman said “no comment,” and referred other questions to Forest Service’s public affairs, who he said, “won’t know anything about it.”


I don’t know about you, but the thought of unseen eyes monitoring or surveilling us while camping is somewhat disturbing. So… what do they do with all the images and should there be signs posted warning people that campgrounds are under surveillance and that you may be caught on camera while crapping in the woods? Is Francis Marion an anomaly or is this a widespread issue?

The battle never ends.

File-Sharers Safe Until Music Biz Change Laws

Written by enigmax on April 09, 2010

After failing in their case against The Pirate Bay, a music copyrights group has announced it will give up trying to get sites blocked and will leave file-sharers alone. Not forever though. They will instead put all their efforts into getting the law changed. The IFPI said yesterday that it wants to bring this same strategy to your country soon.

(Related) Opinions differ, as do cultures.

No Linking To Japanese Newspaper Without Permission

Posted by timothy on Saturday April 10, @02:40AM

stovicek writes with this excerpt from Ars Technica about the Japanese newspaper Nihon Keizai Shimbun, or Nikkei (English language site, so far apparently unaffected):

"Nikkei has taken efforts to preserve its paywall to absurd new levels: anyone wanting to link to the site must submit a formal application. [...] The New York Times, which reported on the new policy on Thursday, notes that the newspaper market in Japan is radically different from that in the US. Although some smaller outlets are experimenting with new ways of reaching readers, most papers require subscriptions to access online content, and the barriers have kept circulation of print editions quite high compared to the US. Nikkei management appears worried that links could provide secret passages to content that should be safely behind the paywall, and this fear has led to the new approval policy."

Is this part of Google's strategy? Install its own fiber networks then rank the sites that use it higher than those of competitors?

Google adds site speed to search mix

by Tom Krazit April 9, 2010 11:37 AM PDT

Google's famous recipe for determining how sites get ranked in search results has a new ingredient: site speed.

Two of Google's top search engineers--Google Fellow Amit Singhal and principal engineer Matt Cutts--announced the addition Friday, after hinting it would be coming for several months. It's actually been live for a few weeks, they said in a blog post Friday, and Google is using a variety of components to ascertain how much faster one Web page responds compared to another.

In general, one of Google's operating philosophies is that faster is better.

From the National “So much for science” Foundation? And we wonder why the US is falling behind the rest of the world in Science...

Evolution, Big Bang Polls Omitted From NSF Report

Posted by Soulskill on Friday April 09, @06:45PM

cremeglace writes

"In an unusual last-minute edit that has drawn flak from the White House and science educators, a federal advisory committee omitted data on Americans' knowledge of evolution and the Big Bang from a key report. The data shows that Americans are far less likely than the rest of the world to accept that humans evolved from earlier species and that the universe began with a big bang."

Mis-pelling in Akademric papers makes me krazy! (Only this isn't the case here.)

Weather to go to College

Weather to go to College

Source: The Economic Journal (via SSRN)

Consistent with the notion that current weather conditions influence decisions about future academic activities, I find that an increase in cloudcover of one standard deviation on the day of the visit is associated with an increase in the probability of enrolment of 9 percentage points.

Friday, April 09, 2010

Someone has studied the Tylenol case and applied its lessons! customers notified of hack

April 8, 2010 by admin suspects that its web site was breached and that customers’ names, addresses, phone numbers, e-mail addresses and credit card numbers were stolen.

In a letter to those affected which is not the typical letter I’m used to reading, company principal Paul Ballyk not only explained what an SQL injection attack is, but noted that even though the customer data were encrypted on the site, they believe that the hackers may have cracked the encryption code. Kudos to them for not trying to minimize the risk.

Customers who used the web site between December 1, 2009 and February 10, 2010 were notified of the potential compromise of their information. While the company did not offer free services such as credit monitoring, I liked how the president of the company invited people to email him or call him directly if they had questions.

Complexity simply requires more control. There is no reason this should be true.

Data breaches to cost more in the cloud

April 8, 2010 by admin

Liz Tay reports:

Remedying a data breach costs 40 percent more for businesses that store their data offshore, a study of Australian incidents has found.

Conducted by the Ponemon Institute and PGP Corporation, the inaugural Australian Cost of a Data Breach report aimed to quantify the costs associated with public and private sector data breaches.

Sixteen organisations participated in the study between September 2009 and January, all of which had experienced one or more data breach incidents during the past year.

Read more on IT News.

Copies of the full study are available at:

Privacy breaches aren't so cheap either...

Judge Demands $50 Million From Plain Dealer

April 8, 2010 by Dissent

I was waiting for the other shoe to drop on this one, and now it has. As reported previously, the Cleveland Plain Dealer recently unmasked an online commenter and identified her as a judge. Now the judge is suing the paper for $50 million. Jeff Gorman of Courthouse News reports:

A state court judge demands $50 million from the Cleveland Plain Dealer, claiming it wrongfully exposed her and her daughter as the source of online comments about the judge’s cases. Cuyahoga County Court of Common Pleas Judge Shirley Strickland Saffold and her daughter, Sydney, seek damages for fraud, defamation, tortious interference, breach of contract, and invasion of privacy.

The Saffolds sued in the Cuyahoga County Court of Common Pleas over a story by James McCarty in the Plain Dealer’s March 26 edition.

Named as defendants are the Plain Dealer Publishing Co., editor Susan Goldberg, and the companies that run the Web site, which include Advance Publications. McCarty is not named as a defendant.

The Saffolds say McCarty identified them as the source of online comments posted by “lawmiss,” from Judge Saffold’s computer.

Some of the comments dealt with cases in Saffold’s court, including the pending case against Anthony Sowell, who has been accused of murdering 11 Cleveland women.

The Plain Dealer story reported that Judge Saffold denied making any of the comments about her cases, but that her daughter admitted making some of them.

The Saffolds claims that the Plain Dealer violated its privacy policy by revealing the identity of “lawmiss.”

Read more on Courthouse News.

From the complaint, it seems that the plaintiffs allege that the paper’s primary motive in breaching the commenter’s privacy was that the commenter had made a comment about the mental health of a relative of a Plain Dealer reporter.

This is the second case this year where a commenter on a newspaper’s site has either been unmasked or negatively affected by the paper revealing the source of comments. In an earlier case, St. Louis Post-Dispatch social media editor Kurt Greenbaum was offended by a commenter’s language and after deleting the inappropriate comment only to have it resubmitted, he contacted the school identified in the commenter’s IP to alert them that someone at the school had posted inappropriate comments on the paper’s site.

Occasionally the FTC looks at businesses to see if they are living up to their stated privacy policy. Online privacy policies may be business decisions, but they are part of the public’s ability to trust sites. Would you post comments on a site if their stated privacy policy was, “We will respect your privacy and not reveal any account information unless obligated to by legal process or unless you piss us off?”

I would like to see the FTC take a look at the Plain Dealer case to see if they think that the paper’s action was consistent with its stated policy.

Related: Strickland-Saffold v. Plain Dealer.

(Related) Seems there's a lot of this going on.

Prosecutor who unmasked blogger may not have immunity – court

April 9, 2010 by Dissent

As a follow-up to a case in Florida that was mentioned on this site last year, there’s a decision in the case of Tom Rich and his wife, who had sued the Jacksonville Police Department for “outing” Rich to his church as the author of a blog critical of the church. Rich had been blogging anonymously (and critically) about the church until the church asked one of its members, a police officer, to find out who was behind the blog. The officer went to a state attorney who issued the subpoena.

In their attempt to get charges dismissed based on qualified immunity, the defendants won some and lost some. Most notably, the court held that if state attorney issued a subpoena without any criminal investigation, it would be a violation of Rich’s First Amendment rights. Now they progress to the next round where Rich will need to prove that claim.

Hat-tip, Eugene Volokh.

Computers are a wonderful weapon for asymmetric warfare.

Security Guru Richard Clarke Talks Cyberwar

Andy Greenberg, 04.08.10, 11:45 AM EDT

The antiterrorism czar who foresaw 9/11 discusses Obama's cybersecurity plans and North Korea.

… Around the world 20 to 30 nations have formed cyberwar military units. Everything we were talking about 10 or even 20 years ago in terms of cyberwar is happening, except for the development of relevant international law.

… With more time, I think we can solve the attribution problem. You can't find the origin of an attack in real time. But ultimately you can do the forensics if you can hack into all the servers. The NSA can do that. And the NSA tells me that attribution isn't really a problem.

… What I'm talking about would have no economic effect. [Isn't that impossible? Bob] The FCC can tell the tier one Internet service providers that they--not the DHS or the NSA--have to use a sophisticated search capability to look for patterns of malware. AT&T and Verizon tell me they can do that tomorrow.

We'd do this with the involvement of the privacy community. And it would solve 70% to 80% of the problem.

The best-prepared country for cyberwar is one that can't be attacked but can perform its own attacks. North Korea, like Afghanistan, has nothing to attack. But they're launching cyberattacks from South Korea and China. They're taking over whole floors of hotels in cities in China to set up teams of cyberwarriors.

In pure capability, our biggest enemy is Russia, followed closely by China. But if you ask who's the biggest threat in the sense that they might use their abilities, it might be North Korea. First, they're crazy, and second, they have nothing to lose.

… China won't engage in cyberwar with us unless they're at war with us for some other reason or there's an accidental cyberwar. I think an accidental cyberwar could happen, and escalation could occur very rapidly.

Undue reliance again? Perhaps just inadequately tested software. Poor management in either case.

Warhammer Online Users Repeatedly Overbilled

Posted by Soulskill on Thursday April 08, @11:53PM

TheSpoom writes

"A screw-up in EA's Warhammer Online billing system has resulted in many players being charged upwards of 22 times for a one-month subscription, filling bank accounts with overdraft fees and the Warhammer forums with very angry players, who are discussing the issue quite vocally. EA has said that refunds are in progress and that '[they] anticipate that once the charges have been reversed, any fees that have been incurred should be refunded as well.' They haven't specifically promised to refund overdraft charges, only to ask customers' banks to refund them once the actual charges are refunded. They seem to be assuming banks will have no problem with this."

Why I don't allow comments – I can make my own problems thank you...(Thou shalt remain ignorant?)

UK: High Court ruling serves as a warning against any moderation of user comments

April 8, 2010 by Dissent

A blog owner can avoid liability for user-generated content that appears on his site without being checked or moderated, the High Court has ruled. But fixing the spelling or grammar in users’ posts could lose him that protection, it said.

The Court ruled that the operator of blogging site could not have a libel case struck out. The site operator, Alex Hilton, had said that his argument that he deserved exemption as a service provider was so strong that a trial was not necessary. The Court disagreed.


Is this the start of the push-back against extended copyright?

The Economist Weighs In For Shorter Copyright Terms

Posted by timothy on Friday April 09, @01:38AM

lxmota writes

"The Economist says that long copyright terms are hindering creativity, and that shortening them is the way to go: 'Largely thanks to the entertainment industry's lawyers and lobbyists, copyright's scope and duration have vastly increased. In America, copyright holders get 95 years' protection as a result of an extension granted in 1998, derided by critics as the 'Mickey Mouse Protection Act'. They are now calling for even greater protection, and there have been efforts to introduce similar terms in Europe. Such arguments should be resisted: it is time to tip the balance back.'"

Never challenge a hacker! Always assume that your tools can be hacked.

Can Clever Hackers Target Smart Phones?

For my website class

Check Out Tagxedo, A Ridiculously Cool Word Cloud Generator

For Academic purposes only

SaveVideo: Instant Video Downloader with MultiSite Support

Similar tools: KeepHD, Youtube Catcher and ExtractVideo.

For my students who complain about spending $195 for a Math textbook?

The $20 DIY Book Scanner

… For those willing to put in a little effort, though, a book-ripper can be made for pennies. At Instructables you can learn how to make a “Portable, Paperless, Digital Copy Machine” from a few metal strips and rods and an old digital camera.

New & Improved Portable, Paperless, Digital Copy Machine [Instructables]

Thursday, April 08, 2010

Probably true, but very likely to change as consumers start pushing back.

How Identity Theft Is Like the Ford Pinto

April 8, 2010 by admin

Over on Concurring Opinions, Dan Solove describes a new paper by Chris Hoofnagle:

Professor James Grimmelmann likes to shop at Kohl’s. So much so that he applied for credit at Kohl’s. And he got it.

The problem is that James Grimmelmann didn’t really apply for anything. It was an identity thief.

Grimmelmann was a participant in Chris Hoofnagle’s study about identity theft. In a really eye-opening paper, Internalizing Identity Theft, 2010 UCLA J. of L. & Tech (forthcoming), Hoofnagle has concluded that one of the main reasons identity theft happens is because companies let it happen. It is an economic decision.

Back in 1981, in the famous case involving an accident due to a defect in a Ford Pinto, it came to light that Ford knew about the design defect in the car but ignored it because it calculated that paying damages in lawsuits would be less than fixing the design flaw.

Read more on Concurring Opinions.

Were Health Care providers exempt from other breach laws?

Virginia Adds Medical Information Breach Notice Law

By Dissent, April 8, 2010 7:31 am

David Navetta writes:

The state of Virginia has passed a breach notice law requiring notice of security breaches involving medical information.


“Breach of the security of the system” means unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of medical information maintained by an individual or entity. Good faith acquisition of medical information by an employee or agent of an individual or entity for the purposes of the individual or entity is not a breach of the security of the system, provided that the medical information is not used for a purpose other than a lawful purpose of the individual or entity or subject to further unauthorized disclosure.

Read more on InformationLawGroup.

[From the article:

[One definition of information covered: An individual's health insurance policy number or subscriber identification number, [Interesting. These numbers are used in place of the SSAN. First time I've seen this. Bob] any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.

… Even if the data is encrypted, the law requires notice if the breach involved a person with access to the encryption key. [i.e. a disgruntled employee? Bob]

Technology – surveillance made simple.

Study: Maybe time to hide phone from mate?

by Dong Ngo April 7, 2010 1:43 PM PDT

Your significant other's asleep in the bedroom and you spot his or her phone lying on the couch. Would you take a peep at the text messages? According to a recent survey from consumer electronics shopping site Retrevo, there's a 38 percent chance you would if you're 25 or younger (or, one assumes, married to Tiger Woods).

Another benefit of Cloud Computing, the ability to switch some or all of your computing power to a Cloud vendor when you don't need it. The flip side is, you can purchase more compute=power just as easily.

Wall St. Trading Servers To Power Off-Hour Clouds?

Posted by timothy on Wednesday April 07, @04:38PM

miller60 writes

"As cloud computing gains traction, some Wall Street firms running armadas of servers to power high-frequency trading operations are contemplating leasing out their excess computing capacity after the trading day ends at 4 p.m. 'Once 4:30 rolls around, we don't need those machines,' said one CTO of a market data firm. 'There may be an opportunity there.' A similar revelation led to the creation of the cloud computing operation at, which built its infrastructure to handle peak Christmas-season loads that lasted just a few weeks each year."

Something for my geeks to track?

Researcher Releases Hardened OS "Qubes"; Xen Hits 4.0

Posted by timothy on Wednesday April 07, @02:11PM

Trailrunner7 writes

"Joanna Rutkowska, a security researcher known for her work on virtualization security and low-level rootkits, has released a new open-source operating system meant to provide isolation of the OS's components for better security. The OS, called Qubes, is based on Xen, X and Linux, and is in a basic, alpha stage right now. Qubes relies on virtualization to separate applications running on the OS and also places many of the system-level components in sandboxes to prevent them from affecting each other. 'Qubes lets the user define many security domains implemented as lightweight virtual machines (VMs), or 'AppVMs.' E.g. users can have 'personal,' 'work,' 'shopping,' 'bank,' and 'random' AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.'"

Xen's also just reached 4.0; some details below.

Research tool.

Live-PDF: Search Engine For PDF Files & E-books

Similar Tools: PDF Search Engine, PDFGeni, and ManyBooks.


10 Websites That Make Browsing Wikipedia More Fun

[Try the WikiMindMap Bob]

A site for my remedial Math students

Wednesday, April 7, 2010

Learn Your Tables - Math Practice

Learn Your Tables is a neat little site for students to use to learn and develop multiplication skills. The site offers two basic games on two different levels.

Wednesday, April 07, 2010

What would be the “non-e” equivalent? Etching your name on that microwave oven you bought? What happens if you want to sell the file later? Do you think there is a market for software to find and remove this data?

How “Dirty” MP3 Files Are A Back Door Into Cloud DRM

by Michael Arrington on Apr 6, 2010

All the big music sellers may have moved to non-DRM MP3 files long ago, but the watermarking of files with your personal information continues. Most users who buy music don’t know about the marking of files, or don’t care. Unless those files are uploaded to BitTorrent or other P2P networks, there isn’t much to worry about.

A list of which music services are selling clean MP3 files without embedded personal information, and which aren’t, is here. Apple, LaLa (owned by Apple) and Walmart embed personal information. Amazon, Napster and the rest have resisted label pressure to do so.

A music industry insider who’s asked to remain anonymous writes to us:

Hidden in purchased music files from popular stores such as Apple and Walmart is information to identify the buyer and/or the transaction. You won’t find it disclosed in their published terms of use. It’s nowhere in their support documentation. There’s no mention in the digital receipt. Consumers are largely oblivious to this, but it could have future ramifications as the music industry takes another stab at locking down music files.

Here’s how it works. During the buying process a username and transaction ID are known by the online retailers. Before making the song available for download their software embeds into the file either an account name or a transaction number or both. Once downloaded, the file has squirreled away this personal information in a manner where you can’t easily see it, but if someone knows where to look they can.

Ubiquitous Surveillance starts in the home with a product that's “for the children.” How would a mis-identified “predator” remove himself from the database? How easily could I “spoof” the system to include my local congressman?

UnitedParents To Provide Early Warning Against Online Predators, Cyberbullies

by Roi Carthy on Apr 7, 2010

Stealth Israeli startup UnitedParents is stepping closer to the bright lights today by announcing a $900K seed round, and the beta availability of its online child safety product, aimed at alerting parents whenever their children become involved in a potentially dangerous relationship with online predators and / or cyber-bullying.

UnitedParents’ consumer product is a downloadable piece of software (Windows only for now) that monitors children’s online activity. The product will initially latch onto the more popular Instant Messaging apps such as those by ICQ, AIM, MSN, and Yahoo, but will expand to include online chat modules such as that of Facebook’s. Further down the road, the product will also monitor email and public chat rooms.

UnitedParents’ software keeps track of the child’s online activity, monitoring over thirty parameters along his or her path. Using analysis, the technology is able to create profiles of the persons the child has engaged with and of the relationships themselves. Once a predator or bully is identified, UnitedParents creates a sort of fingerprint that it propagates across its network. Doing so allows it to track this person and alert potential next cases very early on, theoretically before any harm is done to the next child in line.

A red flag for the Class Action lawyers. Once again, Sony “pushes” an ill-advised (and apparently un-tested) update on its customers. Didn't they agree not to do that, or was the agreement so narrowly written that it was meaningless?

Sony Update Bricks Playstations

Posted by CmdrTaco on Wednesday April 07, @08:59AM

Stoobalou writes

"A controversial update which was seeded by Sony in order to remove the ability to run Linux on the Playstation 3 games console has caused a storm of complaints. The 3.21 firmware upgrade, which removes the security hole provided by the 'Install Other OS' widget used by lots of educational institutions and hackers alike, also removes the console's ability to play games... turning it into a very expensive doorstop."

Can we correct this before prices skyrocket or bandwidth nosedives?

April 06, 2010

Comcast Corporation v. FCC - Appeals Court Rules Against Net Neutraility

EFF: "In a ruling that imposes important limits on the FCC's authority to regulate the Internet, the D.C. Circuit Court of Appeals today overturned the FCC ruling against Comcast for interfering with the BitTorrent traffic of its subscribers. The court found that the Commission had overstepped the limits of its "ancillary authority" when it disciplined Comcast for its clandestine blocking behavior. The ruling is not likely to make much difference to Comcast subscribers—Comcast had already agreed to cease its BitTorrent interdiction before the FCC's ruling was issued. Instead, the court's ruling is important because it represents a blow to FCC Chairman Genachowski's proposed net neutrality regulations, which are premised on the same theory of "ancillary jurisdiction" that the FCC used against Comcast and that the court rejected today."

This is becoming a big problem. Small business isn't spending the time (or dollars?) to protect themselves against this type of crime and banks aren't offering to help since it creates no liability for them.

Information and Recommendations Regarding Unauthorized Wire Transfers Relating to Compromised Cyber Networks

Source: FBI, New York State Intelligence Center, New York State Office of Homeland Security, U.S. Secret Service, et. al.

Does this make Groklaw a model for legal commentary?

Groklaw Will Be Archived At Library of Congress

Posted by kdawson on Tuesday April 06, @05:46PM

inode_buddha writes

"Groklaw has just received an invitation to be archived in the Library of Congress. In true FOSS style, PJ has decided to ask all the contributors and commenters if they wish to be included, since commenters own the copyrights on their comments. So far, the answer seems to be 'yes,' even for Anonymous Cowards. It's a great honor for Groklaw, but one wonders how many AC's there are, and whether Congress or future researchers would think that they are all one person."

Attention e-Discovery lawyers!

Breaking News: Qualcomm “No Sanctions” Order Issued

The long-awaited lawyer sanctions order was just entered in the Qualcomm case by U.S. Magistrate Judge Barbara L. Major, copy attached.


For my Computer Security students

Uncle Sam Wants You (To Fight Hackers)

The U.S. government is stepping up recruitment of engineers who can help wage cyberwar

By Rachael King

… Demand for cybersecurity professionals is growing quickly. Government and industry executives say they need more cybersecurity employees but struggle to find qualified applicants. Just 40% of government hiring managers say they're satisfied with the quality of applicants for federal cybersecurity jobs, and only 30% are satisfied with the number, according to a July 2009 report by Booz Allen Hamilton.

While the government's scholarship program can fill about 120 entry-level cybersecurity jobs, the feds need about 1,000 recent grads to fill those spots, according to the report.

Together, the U.S. public and private sectors will need about 60,000 cybersecurity workers in the next three years, says Greenberg. "There will be a shortage."

Tuesday, April 06, 2010

“Yeah, but it makes us look like we care!” (This is called “Teaching to the Test” in the academic world)

Compliance Is Wasted Money, Study Finds

Posted by Soulskill on Monday April 05, @04:12PM

Trailrunner7 writes

"Enterprises are spending huge amounts of money on compliance programs related to PCI-DSS, HIPAA and other regulations, but those funds may be misdirected in light of the priorities of most information security programs, a new study has found. A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company's data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies' true data assets are, but find that their security programs are driven mainly by compliance, rather than protection (PDF)."

Following up on one of the “big” attacks.

April 05, 2010

Shadows in the Cloud: Investigating Cyber Espionage 2.0

Information Warfare Monitor: "The Information Warfare Monitor/ (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) and the Shadowserver Foundation announce the release of Shadows in the Cloud: An investigation into cyber espionage 2.0. The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries."

I wonder if something like this will spread to other law schools?

Naming and Shaming Toxic Web Apps

Posted by Soulskill on Monday April 05, @02:55PM

itwbennett writes

"Stanford Law School has released a wiki called WhatApp?, where users can rate all manner of web apps, browsers, mobile platforms, mobile apps, and social network apps on their security, privacy, and openness. Currently, the wiki 'lists some 200+ apps, but most of them have not been reviewed yet. So they need a lot of help,' writes blogger Dan Tynan. 'To review an app you select it from the list, then fill out a 9-question form rating its privacy, security, and openness, ranging from 5 (very private, secure, and open) to 1 (a steaming pile of vulnerabilities and violations).'"

For my Hacking students...

Exploits not needed to attack via PDF files

by Elinor Mills April 5, 2010 3:32 PM PDT

Portable Document Format (PDF) files could be used to spread malware to clean PDF files stored on a target computer running Adobe Acrobat Reader or Foxit Reader PDF software, a security researcher warned on Monday.

… The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

Turning off JavaScript would not prevent the attack. It also does not require that the attacker exploit a vulnerability in the PDF reader itself.

Hope is not the best strategy.

Colleges Dream of Paperless, iPad-centric Education

By Brian X. Chen April 5, 2010 6:28 pm

Three universities are getting pumped to hand out free iPads to students and faculty with hopes that Apple’s tablet will revolutionize education.

… One hitch in the universities’ plans is that Apple has not inked deals with any textbook publishers to bring their offerings to the iPad’s iBooks store. So far Apple and publishers have only formed partnerships around e-books for fiction and nonfiction titles, like those available for the Kindle.

For textbooks, students can currently access about 10,000 e-textbooks through a third-party company called CourseSmart, which includes titles from the five biggest textbook publishers. CourseSmart is a subscription-based service that charges a fee for students to access e-textbooks of their choice for a limited time. The company has already announced an iPad app (demonstrated below).

Monday, April 05, 2010

Would you like some candy, little girl?

Facebook’s Sneaky Apps and Privacy Issues

April 4, 2010 by Dissent

Dan Tynan writes:

Last time out I wrote about about what Facebook Apps can know about you (“That Facebook app is not your friend”), using Lover of the Day as a particularly brain-dead example. Today’s lesson in social media privacy: You may have installed a Facebook app and not even know it.

Recently a friend (we’ll call him “Bob”) [No relation. Bob] dating site called OK Cupid. As he was filling out the form listing his interests, wants, dreams, desires, etc, OK Cupid asked if he wanted to populate that form using Facebook Connect. Bob clicked yes and didn’t think twice about it. A few days later he happened to check his Facebook apps page, whereupon he found one called OK Cupid, which was set by default to publish “one line stories” of his recent Cupid activity on his wall.

Read more on PCWorld.

Well, it get the point across. Something for my Statistics Class to chew on. (The class starts today!)

The Facebook Story In An Infographic

(Related) More statistics

Firefox: 30 percent of the world market

Mozilla releases its first quarterly statistical report, which is chock-full of stats a only a geek could love.

(Related) Statistics again and evidence that an age discrimination charge should be added to all those Civil Suits...

Toyota Accelerator Data Skewed Toward Elderly

Posted by kdawson on Sunday April 04, @08:49PM

An anonymous reader passes along this discussion on the data for the Toyota accelerator problem, from a few weeks back. (Here's a Google spreadsheet of the data.)

"Several things are striking. First, the age distribution really is extremely skewed. The overwhelming majority are over 55. Here's what else you notice: a slight majority of the incidents involved someone either parking, pulling out of a parking space, in stop and go traffic, at a light or stop sign... in other words, probably starting up from a complete stop."

(Related) Statistics and “cause & effect”

Young Men Who Smoke Have Lower IQs

Posted by kdawson on Monday April 05, @08:18AM

Hugh Pickens writes

"Science Daily reports on a study that has determined that young men who smoke are likely to have lower IQs than their non-smoking peers. In the study, conducted with 20,000 Israeli Army recruits and veterans, the average IQ for a non-smoker was about 101, while the smokers' average was more than seven IQ points lower at about 94, and the IQs of young men who smoked more than a pack a day were lower still, at about 90. (These IQs all fall within the normal range.) 'In the health profession, we've generally thought that smokers are most likely the kind of people to have grown up in difficult neighborhoods, or who've been given less education at good schools,' says Prof. Mark Weiser of Tel Aviv University's Department of Psychiatry, whose study was reported in a recent version of the journal Addiction. 'Because our study included subjects with diverse socio-economic backgrounds, we've been able to rule out socio-economics as a major factor. The government might want to rethink how it allocates its educational resources on smoking.' Prof. Weiser says that the study illuminates a general trend in epidemiological studies. 'People on the lower end of the average IQ tend to display poorer overall decision-making skills when it comes to their health,' says Weiser. 'Schoolchildren who have been found to have a lower IQ can be considered at risk to begin the habit, and can be targeted with special education and therapy to prevent them from starting or to break the habit after it sets in.'"

Sunday, April 04, 2010

Possibly because they did not have adequate control (e.g. an inventory) of their data. Makes them look lazy or uncaring.

BCBS of Tennessee still notifying individuals of breach

By Dissent, April 2, 2010 5:44 pm

Almost six months after the theft of 57 hard drives from their Chattanooga facility, BlueCross BlueShield of Tennessee is still in the process of notifying individuals of the breach, according to an update to the new Hampshire Attorney General’s Office dated March 31 (pdf).

Possibly Related Posts

You can't be an AG in a conservative state without your own lawsuit.

First Private Lawsuit Challenging ObamaCare Filed in Mississippi

April 3, 2010 by Dissent

A privacy-themed lawsuit.

K. Douglas Lee writes:

Mississippi State Senator Chris McDaniel and I have filed a class action lawsuit today, Good Friday 2010, challenging the constitutionality of the Patient Protection and Affordable Care Act, also known as “ObamaCare” and a variety of other less polite euphemisms.

From the complaint:

Moreover, compelling Plaintiffs to enter into a private contract to purchase insurance from another entity will legally require them to share private and personal information with the contracting party. Specifically, by requiring Plaintiffs to abide by the Act’s individual mandate, Congress is also compelling Plaintiffs to fully disclose past medical conditions, habits and behaviors. Not only will the insurer be privy to all past medical information, Congress’s individual mandate will, by necessity, allow the compelled insurer access to Plaintiffs’ present and future medical information of a confidential nature. If judicially enforceable privacy rights mean anything, then private and confidential medical details certainly merit Constitutional protection. Plaintiffs should not be forced to disclose the most intimate details of their past, present and future medical information.

Read more of his blog entry on Big Government.

Related: Walters v. Holder.

Technically, having all the records already converted to electronic format does make it easier. Also the article says they won't work on “standards,” but you don't need standards to copy databases.

Blumenthal: NHIN Will Not Share Data With Government Agencies

By Dissent, March 31, 2010 6:58 pm

iHealthBeat reports:

During a recent Health IT Standards Committee meeting, National Coordinator for Health IT David Blumenthal denied allegations that a framework for the proposed national health information network would make it easier for data to be transmitted to government agencies, such as the CIA or Department of Justice, Modern Healthcare reports.

Blumenthal said that rumors have been circulating in the blogosphere that the National Information Exchange Model, “because it is a government-developed mechanism for generating standards and implementation specifications, might make it easier for health information to be transmitted, or might make it inevitable that it is transmittable to the Department of Justice, the Department of Homeland Security, the CIA, the [National Security Agency] — I don’t know where else.”

Read more on iHealthBeat

[From the article:

He added that the Office of the National Coordinator for Health IT would not participate in a standards development process that led to such an occurence.


EDITORIAL: Obamacare’s secret surveillance

By Dissent, April 3, 2010 9:28 am

From the editors of the Washington Times:

Blog sites have been buzzing about the National Medical Device Registry, a new office in the U.S. Food and Drug Administration that was created in the Obamacare reconciliation package. Concern centers on the registry’s authority to conduct “postmarket device surveillance activities on implantable medical devices,” including those that feature radio-frequency identification. The word “surveillance” conjures ominous images of government tracking and reporting. Some have suggested the law lays the groundwork for compulsory microchip implantation so the state can keep tabs on everyone – for their own good, naturally.

But there is no compulsory microchipping in the new law, and “postmarket surveillance” is a term of art in the medical community that in this case refers to monitoring devices to make sure they do what they are supposed to do, and do not pose a health risk. The FDA has been involved in this for more than a decade. The innovation in the new law is to federalize and centralize what used to be a public-private partnership.

Read more in the Washington Times.

Here's how the handle patient records in the UK.

UK: NHS sends confidential patient records to India

By Dissent, April 3, 2010 5:26 pm

Jon Ungoed-Thomas reports:

The NHS is sending millions of patient records and confidential medical notes to India for processing — despite a pledge by Labour that personal information would not be sent overseas.

It is the first time that databases of names, addresses and NHS numbers of patients have been sent abroad, along with private information about medical appointments.

NHS managers, under pressure to cut costs, are implementing the changes despite warnings about poor security in some offshore centres.

Read more on TimesOnline.

So much for privacy awareness...

National Health Information Privacy & Security Week

By Dissent, March 31, 2010 7:36 am

National Health Information Privacy & Security Week is April 11-17. AHIMA, has some free resources available, here. [ ] Unfortunately, a Google search for the event turns up more hits for merchandise than actual substance.

I normally don't post articles about laws that didn't make it, but I'm curious about the background here – why was this law “needed” in South Carolina?

South Carolina Governor vetoes bill to allow warrantless searches

April 3, 2010 by Dissent

Yvonne Wenger reports:

Gov. Mark Sanford has vetoed legislation that would allow law enforcement officers to search criminals on probation and parole without a warrant, an action that Charleston Mayor Joe Riley called “outrageous.”

The House and Senate passed the bill by wide margins, so Riley said he hopes that support will be in place to override the veto. But that can’t happen before the Legislature reconvenes April 13.

Sanford wrote in his veto message that the bill went too far in eroding personal liberty and freedom.

Read more in the Post and Courier.

Unfortunately, I think this is one consequence of the changes in publishing. Knowing how to search and how to “interpret” search results will become increasingly important.

Print-On-Demand Publisher VDM Infects Amazon

Posted by kdawson on Saturday April 03, @05:56PM

erich666 writes

"In recent months a flood of so-called books have been appearing in Amazon's catalog. VDM Publishing's imprints Alphascript and Betascript Publishing have listed over 57,000 titles, adding at least 10,000 in the previous month alone. These books are simply collections of linked Wikipedia articles put into paperback form, at a cost of 40 cents a page or more. These books seem to be computer-generated, which explains the peculiar titles noted such as 'Vreni Schneider: Annemarie Moser-Pröll, FIS Alpine Ski World Cup, Winter Olympic Games, Slalom Skiing, Giant Slalom Skiing, Half Man Half Biscuit.' Such titles do have the marketing effect of turning up in many different searches. There is debate on Wikipedia about whether their 'VDM Publishing' page should contain the words 'fraud' or 'scam.' VDM Publishing's practice of reselling Wikipedia articles appears to be legal, but is ethically questionable. Amazon customers have begun to post 1-star reviews and complain. Amazon's response to date has been, 'As a retailer, our goal is to provide customers with the broadest selection possible so they can find, discover, and buy any item they might be seeking.' The words 'and pay us' were left out. Amazon carries, as a Googled guess, 2 million different book titles, so VDM Publishing is currently 1/35th of their catalog, and rapidly growing."

Useful tools when you are trying to show students how to use technology.

Top 13 Screen Recorders to Record Your Screen Activities

For my hackers...

Taking Apart the Energizer Trojan

Posted by Soulskill on Monday March 29, @04:10PM

iago-vL writes

"Researchers at SkullSecurity have written a tutorial on how they reverse engineered the Energizer Trojan and generated an Nmap probe to remotely detect infections. The Energizer Trojan is a great educational tool because its inner workings are very simplistic, and it makes minimal efforts to hide itself or conceal its purpose; it even lists what appears to be the author's name — 'liuhong' — in the source! The article provides an introduction to malware analysis, from infecting a test machine to debugging and disassembling the Trojan to writing the actual probe."