Saturday, May 29, 2010

Our favorite school district learns another lesson: It's expensive to screw up.

http://www.philly.com/philly/news/pennsylvania/20100529_L__Merion__insurance_firm_spar_over_webcam_costs.html

L. Merion, insurance firm spar over webcam costs

By John P. Martin Inquirer Staff Writer Posted on Sat, May. 29, 2010

The Lower Merion School District argued Friday that the district's insurer should pay what could be a million-dollar tab to resolve a lawsuit over its now-disabled laptop tracking program.

… As the district launched an investigation and prepared to defend the lawsuit, it asked its insurer to cover the bills and any settlement or award.

But Graphic Arts balked, contending that its policy covered only personal injury or bodily harm, not the kind of damage that Robbins and his family alleged.

… How high the school district's bills will go is unclear. In the six weeks after Robbins and his parents filed their suit in February, the Ballard Spahr law firm and L3, a computer forensics company, submitted more than $550,000 in invoices for their services to Lower Merion.

District spokesman Doug Young said this week that those bills had been paid, but that the district was waiting for new bills from the firms for their work since then. It was not clear whether the district or insurer had paid those bills.

School board president David Ebby said last month that he expected at least $200,000 more in invoices before the case was over.


(Related) Might be an interesting read...

http://mrzine.monthlyreview.org/2010/scribner280510.html

Someone Is Watching: The Peril and Promise of School Surveillance

by Campbell Scribner

Torin Monahan, Rodolfo D. Torres, eds. Schools under Surveillance: Cultures of Control in Public Education. Critical Issues in Crime and Society Series. New Brunswick: Rutgers University Press, 2010. vi + 264 pp. $72.00 (cloth), ISBN 978-0-8135-4679-7; $24.95 (paper), ISBN 978-0-8135-4680-3.

… Read in light of the Lower Merion incident, what is most shocking is the public's lingering capacity for shock. The surreptitious use of laptop cameras was already underway in a Canadian classroom fifteen years ago, and in the decade after the Columbine shooting and the terrorist attacks of September 11, 2001, school administrators have cast an ever-widening net of observation and control over their pupils, raising important questions about safety, privacy, and student rights



I think we're all getting a little disgusted seeing the same failures over and over and over...

http://www.databreaches.net/?p=11958

Missing records on stolen laptop from Cincinnati Children’s Hospital

May 28, 2010 by admin

Unencrypted.

Employee’s car.

Pardon me while I spit.

Peggy O’Farrell reports (emphasis added by me):

Cincinnati Children’s Hospital Medical Center is beefing up its computer security after a laptop computer containing more than 61,000 patient records was stolen.

The laptop was stolen from a hospital employee’s personal vehicle while it was parked outside the employee’s home in late March. Cincinnati police were notified of the theft.

The missing records were password-word protected, but not encrypted.

An investigation found that the records on the computer contained some personal information about patients, including names, medical records numbers and services provided, said hospital spokesman Jim Feuer.

Feuer stressed, though, that the records did not contain Social Security numbers, credit card numbers or telephone numbers.

Read more on Cincinnati.com.

The hospital issued a statement today, linked from its homepage.

[From the Hospital statement:

The theft occurred from an employee’s vehicle parked at his residence sometime between March 27 and 29, 2010. [So it seems the employee wasn't working on the data at home Also amazing is the data of May 28 on the statement!!! Bob]

Since this event, Cincinnati Children's has strengthened its encryption practices to ensure no PC laptop computers are issued unless the encryption process is initiated. Additionally, it has improved its process for tracking the encryption of these laptops. [That's a lot to accomplish in no time at all Perhaps Steven Hawking is consulting? Bob]



This answers at least part of the “Why are there so many breaches” question

http://www.databreaches.net/?p=11950

Poll: Canadian businesses unconcerned about privacy breach risk

May 28, 2010 by admin

Most Canadian companies aren’t concerned about data breaches involving their customers’ personal information — even though these same companies report they are collecting and holding more personal information than ever before, according to the results of a poll released today.

The poll conducted by EKOS for the Office of the Privacy Commissioner of Canada found that 42 per cent of businesses surveyed are not concerned about security breaches.

Read the entire press release from the Office of the Privacy Commissioner, or read the final report.



Are we reaching a consensus on patient rights?

http://www.phiprivacy.net/?p=2829

WPF comments on possible changes to HIPAA privacy rule; requests more patient access to audit logs

By Dissent, May 29, 2010 6:02 am

Oops — I missed this announcement last week from the World Privacy Forum:

The World Privacy Forum filed comments with the US Department of Health and Human Services today in response to its Request for Information about possible changes to the HIPAA health privacy rule. WPF strongly supported patients’ current right to request a history of disclosures of their medical files, and requested an expansion of this right. WPF noted in its comments to HHS that “An individual cannot fully protect his/her privacy interest in a health record (and most other records) unless he/she has a right of access to the record, the right to propose a correction, and the right to see who has used the record and to whom it has been disclosed. Each of these elements is essential.”

Read the full WPF comments



If organizations discover new ways to use your personal data, should they tell you about it? Perhaps the proper way to evaluate the risks to your data is to assume that everything will be gathered together and made available to people whose job it is to make your life miserable...

http://www.pogowasright.org/?p=10684

Mobile Data: A Gold Mine for Telcos

May 28, 2010 by Dissent

Tom Simonite reports:

Cell phone companies are finding that they’re sitting on a gold mine–in the form of the call records of their subscribers.

Researchers in academia, and increasingly within the mobile industry, are working with large databases showing where and when calls and texts are made and received to reveal commuting habits, how far people travel for public events, and even significant social trends.

[...]

The data set is a collection of call detail records, or CDRs–the standard feedstock of cell phone data mining. A CDR is generated for every voice or SMS connection. Among other things, it shows the origin and destination number, the type and duration of connection, and, most crucially, the unique ID of the cell tower a handset was connected to when a connection was made. [The network illustration also breaks the data into the language being spoken. How would they know that without listening in? Bob]

[...]

Research in this area is typically focused on aggregate information and not individuals, but questions remain about how to protect user privacy, Blondel says. It is standard to remove the names and numbers from a CDR, but correlating locations and call timings with other databases could help identify individuals, he says. In the MIT study, for example, the team could infer the approximate home location of users by assuming it to be where a handset was most located between 10 p.m. and 7a.m., although they also lumped people together into groups by zip code.

Read more in the MIT Technology Review.



A push toward small, pirate/hacker-oriented ISPs?

http://news.slashdot.org/story/10/05/29/0615230/Ofcom-Unveils-Anti-Piracy-Policy-For-UK-ISPs?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Ofcom Unveils Anti-Piracy Policy For UK ISPs

Posted by timothy on Saturday May 29, @05:01AM

"Under plans drawn up by Ofcom, UK ISPs are going to draw up a list of those who infringe copyright, logging names and the number of times infringement took place. Music and film companies will then be allowed access to the list, and be able to decide whether or not to take legal action. '"It is imperative that a system that accuses people of illegal online activity is fair and clear," said Anna Bradley, chair of the Communications Consumer Panel.' The Panel, in partnership with Consumer Focus, Which, Citizens Advice and the advocacy body the Open Rights Group, has released a set of principles it believes should govern the code of practice. The principles say sound evidence is needed before any action is taken, consumers must have the right to defend themselves, and the appeals process must be free to pursue. The code shall come into practice by 2011, and only initially applies to ISPs with 400,000 customers or more."



No doubt this will requier prosecutors to check if you have ever accessed Google Maps...

http://yro.slashdot.org/story/10/05/28/1821200/High-Tech-Burglars-May-Get-Longer-Sentences-In-Louisiana?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

High-Tech Burglars May Get Longer Sentences In Louisiana

Posted by Soulskill on Friday May 28, @03:08PM

"Burglars and terrorists should be careful not to use Google Maps if they plan on committing crimes in the state of Louisiana. Nola reports that a bill approved 89-0 by the Louisiana House will require that judges impose an additional minimum sentence of at least 10 years on terrorist acts if the crime is committed with the aid of an Internet-generated 'virtual map.' The bill, already approved by the Louisiana Senate, defines a 'virtual street-level map' as one that is available on the Internet and can generate the location or picture of a home or building by entering the address of the structure or an individual's name on a website. If the map is used in the commission of a crime like burglary, the bill calls for the addition of at least one year in jail (PDF) to be added to the burglary sentence. The House measure is now being sent back to the Senate for approval of clarifying amendments made by a House committee."



Statistics

http://mashable.com/2010/05/27/non-google-site-stats/

Facebook Leads in the Top 1,000 Sites

According to Google’s AdPlanner stats, Facebook is the number one most-visited destination on the web. Weighing in at an unfathomably heavy 570 billion page views [That's a 'per month' figure Bob] and 540 million users, the ubiquitous social network outranks every other non-Google site, taking more than 35% of all web traffic measured.

When it comes to non-Facebook social media properties, Twitter ranks 18th with 5.4 billion page views, Flickr (Flickr) is 31st with 1.8 billion views and LinkedIn (LinkedIn) sits in 56th place at 1.7 billion views.

Bank of America and PayPal also made the list, coming in at 93rd and 39th, respectively. And in the news category we find the BBC, which was ranked 43rd with 2.5 billion hits, followed by The New York Times’s website, which ranked 83rd with 600 million views.



Another confirmation of the “My opinion is better than your facts” syndrome. Note that this also explains politicians who wish to pass legislation making Pi equal to 3.

http://news.slashdot.org/story/10/05/28/1740208/The-Scientific-Impotence-Excuse?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

The "Scientific Impotence" Excuse

Posted by Soulskill on Friday May 28, @02:25PM

"I've had the feeling for a long time that people refuse to listen to scientists. The following is from an article on Ars Technica: 'It's hardly a secret that large segments of the population choose not to accept scientific data because it conflicts with their predefined beliefs: economic, political, religious, or otherwise. But many studies have indicated that these same people aren't happy with viewing themselves as anti-science, which can create a state of cognitive dissonance. That has left psychologists pondering the methods that these people use to rationalize the conflict. A study published in the Journal of Applied Social Psychology [abstract here] takes a look at one of these methods, which the authors term "scientific impotence" — the decision that science can't actually address the issue at hand properly.' The study found that 'regardless of whether the information presented confirmed or contradicted [the subjects'] existing beliefs, all of them came away from the reading with their beliefs strengthened."



Another attempt to eliminate lawyers? Not according to the site.

http://agree2.com/

Agree2

The easiest way to make agreements online



An interesting talk (video) on how business find value in the tech world.

http://techcrunch.com/2010/05/28/video-evernote-ceo-phil-libin-shares-revenue-stats-and-how-to-make-freemium-work/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Video: Evernote CEO Phil Libin Shares Revenue Stats (And How To Make Freemium Work)

by Jason Kincaid on May 28, 2010

Last week at the Founder Showcase, a quarterly event put on by Adeo Ressi’s TheFunded, Evernote CEO Phil Libin gave a presentation discussing some of the startup’s key revenue numbers and strategy. During his talk, Libin outlined some of the ingredients in making the freemium model work, and how long-term users actually become more valuable over time.

# Users have grown more valuable over time. New users convert to premium at a rate of .5%. But of the users that signed up two years ago and are still active, 20% have become paid customers.

# Evernote’s cost per user is around 9 cents per active user per month. It makes around 25 cents per user per month. The site reached break even a year and a half ago.



Make an effort now, save time forever.

http://www.makeuseof.com/tag/set-email-filters-gmail-hotmail-yahoo/

How To Set Up Email Filters In Gmail, Hotmail and Yahoo

Friday, May 28, 2010

What did they learn from their breach? That there is a market for security!

http://www.thetechherald.com/article.php/201021/5663/Heartland-offers-end-to-end-encryption-to-customers

Heartland offers end-to-end encryption to customers

by Steve Ragan - May 27 2010, 19:40

The E3 card terminal that Heartland announced this week will offer end-to-end encryption of the card data. Merchants that use it will have peace of mind that the data is useless to criminals if captured, the company said. However, E3 isn’t a free offer to any of their 250,000 plus customers, or those who might want in on the action down the line.

… Ahmad told us that the top three benefits for Heartland customers using E3 include the fact that no cardholder data is present in the merchant’s systems. In addition, there are minimal, if any disruptions to the merchant during day-to-day operations. Finally, there is the warranty from Heartland, which pays the merchant the amount of compliance fines, fees, or assessments in the event of a breach that can be linked to a direct failure of E3.



Things that make you say, “Oops!”

http://www.databreaches.net/?p=11917

UK: 1000 data breaches reported to the ICO

May 28, 2010 by admin

The Information Commissioner’s Office issued a press release and summary analysis of breaches:

With the number of breaches involving people’s personal information reported to the Information Commissioner’s Office (ICO) reaching 1000, the privacy watchdog is urging organisations to minimise the risk of mistakes. Staff need simple procedures on how to handle personal information with appropriate training to ensure the importance of personal information is fully understood.

The entire press release can be found here.

The government’s analysis of the 1007 breaches indicates that stolen data or stolen hardware accounted for the most common cause of breaches, with 307 breaches of this kind. Of those 307 thefts, 116 were reported by the NHS. The second most common source of reported breaches was disclosure errors (254), followed closely by lost data or lost hardware (233).

Comparing sectors, NHS (their public healthcare sector) accounted for 305 breaches, followed closely by the private sector (288 breaches).

ICO_BreachTable



I thought this might get messy. How dare Google actually look at publicly available, broadcast data! That's as rude as looking at the front of my house! The scum!

http://www.pogowasright.org/?p=10643

Oregon Judge Slaps Google With Restraining Order Over Private Wifi Data

May 27, 2010 by Dissent

Nick Saint reports:

An Oregon judge has issued a restraining order forbidding Google from destroying data the company accidentally recorded from private wifi networks with its Street View cars.

Google had announced its intention to consult with privacy advocates and governments about the best way to dispose of the data. Residents of Oregon and Washington filed a class action suit over privacy violations, and requested a restraining order to ensure the data could be used as evidence.

Read more on Business Insider and expect updates on this one.



Would P.T. Barnum's “This way to the egress” be considered adequate labeling?

http://www.pogowasright.org/?p=10640

UK: Viewing a website is a ‘transactional decision’, says OFT’s behavioural ad study

May 27, 2010 by Dissent

Struan Robertson writes:

OPINION: The OFT has endorsed the UK ad industry’s self-regulation of behavioural advertising. But its conclusion was based in part on a curious reading of consumer protection regulations, coupled with research that departs from similar studies.

The Office of Fair Trading is the Government’s consumer and competition authority. That it sees no need for Government regulation in behavioural advertising is great news for online publishers and advertisers. In my view, that is good for consumers too, because it helps to keep content free.

The biggest change demanded in the report is that ads selected according to someone’s browsing behaviour should be labelled. That’s a sensible step, and one that UK trade body the Internet Advertising Bureau (IAB) was taking already.

What surprised me more was another, less significant feature of the report: the OFT says that viewing a website is a transactional decision for the purposes of the Consumer Protection (Unfair Trading) Regulations, known as the CPRs.

Read more on Out-Law.com

[From Out-Law:

The report says:

"The OFT interprets transactional decision widely and believes it encompasses, for example, the decision to view a website. So not informing a consumer about the collection of information about their browsing behaviour could breach the CPRs if that knowledge would have altered their behaviour, perhaps by dissuading them from visiting that website."

The OFT is not just saying that its worried about information or a lack of information influencing a decision to buy something on a website; it's talking about it influencing a decision just to visit a site, whether the site sells things or not.



Who'd a thunk it!

http://news.yahoo.com/s/ap/20100527/ap_on_hi_te/us_tec_online_reputation;_ylt=AoqatztyPnbiRKWbdbBlDteyBhIF;_ylu=X3oDMTJwc3ZkcXBjBGFzc2V0A2FwLzIwMTAwNTI3L3VzX3RlY19vbmxpbmVfcmVwdXRhdGlvbgRjcG9zAzEEcG9zAzIEc2VjA3luX3RvcF9zdG9yeQRzbGsDaW1hZ2UtY29uc2Np

Image-conscious youth rein in social networking

By MARTHA IRVINE, AP National Writer – Thu May 27, 3:49 am ET

CHICAGO – What's that? A young college grad lecturing her elders about online privacy?

It might go against conventional wisdom, but a new report from the Pew Internet & American Life Project is adding fuel to the argument that young people are fast becoming the gurus of online reputation management, especially when it comes to social networking sites.

Among other things, the study found that they are most likely to limit personal information online — and the least likely to trust free online services ranging from Facebook to LinkedIn and MySpace.

… In this instance, adults over the age of 30 might do well to listen. The Pew study and a mounting body of new research is showing that the very generation accused of sharing too much information online is actually leading the pack in online privacy.

The Pew study found, for instance, that social networkers ages 18 to 29 were the most likely to change the privacy settings on their profiles to limit what they share with others online. The percentage who did so was 71 percent, compared with just 55 percent of the 50- to 64-year-old bracket. Meanwhile, about two-thirds of all social networkers who were surveyed said they've tightened security settings.

… Consider also that the study found that a quarter of online adults said their employers now have policies about how they portray themselves online. [That's new, isn't it? Bob]

[The report: http://www.pewinternet.org/Reports/2010/Reputation-Management.aspx?r=1



Where do threats come from and what are their targets? If you have a detection tool anywhere along the path that connects these points (not only at the corporate end-point) you can detect and respond to an attack. Why do you want to be in my network?

http://www.wired.com/threatlevel/2010/05/einstein-on-private-networks/

Pentagon: Let Us Secure Your Network or Face the ‘Wild Wild West’ Internet Alone

By Kim Zetter May 27, 2010 1:50 pm

Companies that operate critical infrastructures and do not voluntarily allow the federal government to install monitoring software on their networks to detect possible cyberattacks would face the “wild” internet on their own and place us all at risk, a top Pentagon official seemed to say Wednesday.

… The Einstein programs are intrusion-detection and response systems developed by the National Security Agency. The government is in the process of deploying Einstein 2 to federal networks to inspect traffic for malicious threats, but there has been talk of deploying it to private-sector networks as well. Intrusion-detection systems are already a standard tool in the defense arsenal of private-sector businesses, and the government has been unclear about how its system surpasses those already available to companies.

… In 2008, DHS’s Privacy Office published a Privacy Impact Assessment (.pdf) on early versions of Einstein 2, but has not published one on Einstein 3. The assessment left many questions unanswered, such as the extent of the NSA’s role in the programs and whether information obtained by the monitoring systems will be shared with law enforcement or other intelligence agencies. [Of course it will. Why else would you bother detecting the attack? Bob]


(Related) ...but a different perspective. Question: How do I distinguish an all out attack from the government trying to take control of my network to defend me? (I'm still haunted by, “In order to save the village, we had to destroy it.”)

http://www.wired.com/dangerroom/2010/05/cyber-command-we-dont-wanna-defend-the-internet-but-we-just-might-have-to/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Cyber Command: We Don’t Wanna Defend the Internet (We Just Might Have To)

By Noah Shachtman May 28, 2010 9:44 am

OMAHA, Nebraska – Members of the military’s new Cyber Command insist that they’ve got no interest in taking over civilian Internet security – or even in becoming the Pentagon’s primary information protectors. But the push to intertwine military and civilian network defenses is gaining momentum, nevertheless. At a gathering this week of top cybersecurity officials and defense contractors, the Pentagon’s number two floated the idea that the Defense Department might start a protective program for civilian networks, based on a deeply controversial effort to keep hackers out of the government’s pipes.

U.S. Cyber Command (“CYBERCOM“) officially became operational this week, after years of preparation. But observers inside the military and out still aren’t quite sure what the command is supposed to do: protect the Pentagon’s networks, strike enemies with logic bombs, seal up civilian vulnerabilities, or some combination of all three.

A 356-page classified plan outlining CYBERCOM’s rise is being put into action. A team of about 560 troops, headquartered at Ft. Meade, Maryland, will eventually grow to 1093. Each of the four armed services are assembling their own cyber units out of former communications specialists, system administrators, network defenders, and military hackers. Those units – Marine Forces Cyber Command, the 24th Air Force, the 10th Fleet, and Army Forces Cyber Command – are then supposed to supply some of their troops to CYBERCOM as needed. It’s similar to how the Army and Marines provide Central Command with combat forces to fight the wars in Afghanistan and Iraq. Inside the military, there’s a sense that CYBERCOM may take on a momentum of its own, its missions growing more and more diverse.


(Related) How would you define a data disaster? Loss of control of the Air Traffic system? Disclosure of IRS data? Shutdown of the phone systems./stock markets/airline reservation systems?

http://it.slashdot.org/story/10/05/27/2018201/Are-We-Ready-For-a-True-Data-Disaster?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Are We Ready For a True Data Disaster?

Posted by timothy on Thursday May 27, @05:32PM

"Fatal Exception's Neil McAllister questions how long we can go before a truly catastrophic data disaster strikes. 'The lure of potential profits in the information economy, combined with the apparent ease with which data can be gathered and a lack of regulation, creates a climate of recklessness in which a "data spill" of the scale of the Deepwater Horizon incident seems not just likely, but inevitable.' Witness Google mistakenly emailing potentially sensitive business data to customers of its Local Business Center service, or the 1.5 million Facebook accounts and passwords recently offered up on an underground hacking forum. 'These incidents seem relatively minor, but as companies gather ever more individually identifiable data and cross-reference these databases in new and more innovative ways, the potential for a major catastrophe grows.'"



For my Intro to Computing (and Statistics) students. Another reason for Backups! Note that even with some lasting millions of cycles, we don't yet know what the Mean and Standard Deviation are.

http://hardware.slashdot.org/story/10/05/27/1841242/Flash-Destroyer-Tests-Limit-of-Solid-State-Storage?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Flash Destroyer Tests Limit of Solid State Storage

Posted by timothy on Thursday May 27, @04:02PM

"We all know that flash and other types of solid state storage can only endure a limited number of write cycles. The open source Flash Destroyer prototype explores that limit by writing and verifying a solid state storage chip until it dies. The total write-verify cycle count is shown on a display — watch a live video feed and guess when the first chip will die. This project was inspired by the inevitable comments about flash longevity on every Slashdot SSD story. Design files and source are available at Google Code."



For my Computer Security students.

http://www.computerworld.com/s/article/9177398/How_to_foil_Web_browser_tabnapping_

How to foil Web browser 'tabnapping'

Patches may never come, but you can take steps to stymie tab kidnapping

By Gregg Keizer May 26, 2010 03:32 PM ET

Computerworld - A new, incredibly sneaky identity-theft tactic surfaced earlier this week when Mozilla's Aza Raskin, the creative lead of Firefox, unveiled what's become known as "tabnapping."

Stated simply, tabnapping -- from the combination of "tab" and "kidnapping" -- could be used by clever phishers to dupe users into giving up passwords by secretly changing already-open browser tabs. All of the major browsers on Windows and Mac OS X are vulnerable to the attack.



For my Computer Forensics students who don't have Windows 7 yet...

http://www.makeuseof.com/dir/findexif-extract-exif-data-online/

FindExif: Extract EXIF Data Online

All digital cameras add a bunch of information to each photo that they save. This information is called the EXIF data that is used to store information about the camera used to take the photo, the camera settings used, resolution of the image and other details that might help in classifying the image later on.

… FindExif is an online site that lets you extract exif data online and view it in an easy to understand format.

www.findexif.com

Similar sites: CameraSummary, Get-exif-info and Exifremover.



For my Computer Security (Process Engineering) students.

http://it.slashdot.org/story/10/05/28/009220/CERT-Releases-Basic-Fuzzing-Framework?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

CERT Releases Basic Fuzzing Framework

Posted by timothy on Thursday May 27, @08:53PM

"Carnegie Mellon University's Computer Emergency Response Team has released a new fuzzing framework to help identify and eliminate security vulnerabilities from software products. The Basic Fuzzing Framework (BFF) is described as a simplified version of automated dumb fuzzing. It includes a Linux virtual machine that has been optimized for fuzz testing and a set of scripts to implement a software test."

[From the article:

Fuzz testers, or fuzzers, are used by security researchers to find vulnerabilities by sending random input to an application. If the program contains a vulnerability that can leads to an exception, crash or server error, researchers can parse the results of the test to pinpoint the cause of the crash. [Note that this is the opposite of testing with real data. Your software must handle ANY input. Processing the good stuff and rejecting the bad. Bob]



For my Ethical Hacking students Why we use Linux (Ubuntu)

http://apple.slashdot.org/story/10/05/27/1826207/iPhones-PIN-Based-Security-Transparent-To-Ubuntu?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

iPhone's PIN-Based Security Transparent To Ubuntu

Posted by timothy on Thursday May 27, @03:19PM

"Security experts found that the iPhone 3GS has very little security, even with a PIN set up. They plugged one into Ubuntu 10.04, and it was automounted with almost all of the iPhone's data exposed. This has been reported to Apple, but the company seems to be having difficulty reproducing the problem."


(Related) Making Linux even more useful

http://www.makeuseof.com/tag/4-ways-linux-compatible-software/

4 Ways To Make Linux Compatible With Even More Software



Tools & Techniques

http://www.makeuseof.com/tag/3-fast-easy-online-screen-capture-tools/

3 Fast and Easy Online Screen Capture Tools



Tools & Techniques A number of simple videos explaining how things work.

http://www.commoncraft.com/

Common Craft

[Some Technology topics:

Blogs

Cloud Computing

RSS

Web Search Strategies

Wikis

Thursday, May 27, 2010

The restaurants would immediately notice if they weren't getting paid, but that bit about “secure transfer” isn't as important to them. Does the credit card industry certify any of these products?

http://www.databreaches.net/?p=11876

Restauranteurs threaten to sue POSitouch and NJ reseller

May 27, 2010 by admin

Yesterday’s press releases brought news of another potential lawsuit involving the restaurant industry and a POS vendor and reseller. I recognize the attorneys’ names as the same attorneys who filed suit on behalf of some Louisiana restauranteurs against another POS vendor, Radiant Systems, and their reseller, Computer World, last year. According to the press release, this potential lawsuit would be against Restaurant Data Concepts, Inc. of Warwick, Rhode Island, vendors of the POSitouch system, and CC Productions of Hoboken, New Jersey, the reseller.

At the core of the allegations in the developing lawsuit:

1) POSitouch’s POS system failure: The facts emanating from a forensic audit reveal that POSitouch sold a system that was non-compliant with PCI-DSS.

2) CC Productions’ mismanagement: This POSitouch reseller engaged in flagrant violations of PCI standards that gave rise to the security breaches. When companies such as CC Productions engage in the support and management of a merchants’ POS application system they need to ensure that they are not engaging in suspect actions that open up the ports so that hackers may penetrate the entire system through malware.

[...]

While the exact amount of the identify theft losses to banks, the financial losses to the restaurants, fines, investigatory costs, fines imposed by the credit card companies and other costs attributed to fixing the computer systems’ security breaches are still being tallied, the lawsuit is seeking compensation to repay the penalties levied by the credit card companies and the massive costs to track down and repair the POS system problems. According to the attorneys, damages “could run well into seven figures.”

I’ve sent out inquiries to the lead attorney and to Restaurant Data Concepts and will be following any developments in this case on this site. At this point, I’m not even sure whether we already knew about any of these incidents but the coverage didn’t mention the POS, or if most of the breaches alluded to flew under the media radar.



Is this a Class Action slam dunk or just another bandwagon for state AGs (and others) to leap on?

http://www.wired.com/threatlevel/2010/05/google-sued/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Lawsuits Pour in Over Google’s Wi-Fi Data Collection

By Kim Zetter May 26, 2010 1:33 pm

At least three lawsuits have been filed against search engine giant Google for collecting Wi-Fi user data through its Street View cameras.

The lawsuits have been filed in California, Massachusetts and Oregon. They allege that Google violated federal and state privacy laws in collecting fragments of data from unencrypted wireless networks as its fleet of camera-equipped cars moseyed through neighborhoods snapping pictures.

The Massachusetts lawsuit, filed Tuesday by Galaxy Internet Services, is seeking class-action status for all Wi-FI users in the state who may have been affected, and is asking for $10 million in damages.

… Not everyone believes the plaintiffs in the lawsuits have a winning case. One attorney noted to The Recorder that the Electronic Communications Privacy Act contains a safe harbor for breaches that involve collections of data that is already publicly accessible.

The plaintiffs also may not have standing for a suit unless they can prove that their personal data specifically was among the information that was collected.



Another instance where the breach is not immediately reported in full, so the story will drag out as each client acknowledges the breach and drags Tower Watson's name back into the news.

http://www.databreaches.net/?p=11855

City of Charlotte joins list of Towers Watson data loss victims

May 26, 2010 by admin

The City of Charlotte becomes the third entity to reveal that their data were on two DVDs lost by Towers Watson.

In April, DataBreaches.net reported that Lorillard Tobacco was notifying employees that their names, addresses, dates of birth, and Social Security numbers were on two missing DVDs. General Agencies Welfare Benefits Program also reported that they had notified 1,874 employees, former employees, and family members that information provided to Towers Watson in 2001 were on the missing DVDs. The information included first and last names, health insurance plan numbers and/or the Social Security numbers of the covered employees. At the time, Towers Watson did not respond to a request from DataBreaches.net for a statement about the breach. And now we learn that the City of Charlotte was also impacted by the breach. DataBreaches.net has just sent Towers Watson another request, but so far, no response.

This is beginning to remind me of the Colt Express breach where a lot of old data were left unencrypted and a lot of entities were affected by what, in that case, was a burglary. If anyone knows of other entities affected by this Towers Watson incident, please let me know. In the meantime, Steve Lyttle reports on the City of Charlotte news:

Charlotte officials say personal data from about 5,200 current and former employees and elected officials has been lost.

[...]

The data loss affects those who were receiving health coverage from the city in early 2002, and the information was contained on two DVDs kept by Towers Watson, a company which handles the city’s payroll, health insurance and other human resources operations.

The DVDs contained Social Security numbers, health plan coverage numbers, and prescription information.

Read more in the Charlotte Observer.



Some evidence of how the Identity wholesalers clean up their data. They wouldn't want to get a bad reputation for selling sub-standard Identities.

http://www.databreaches.net/?p=11880

44 million stolen gaming credentials found in online warehouse

May 26, 2010 by admin

Ellen Messmer reports:

Symantec says it has unearthed a server hosting the credentials of 44 million stolen gaming accounts — and one of the most surprising aspects of it is that the accounts were being validated by a Trojan distributed to compromised computers.

The purpose of this Trojan-based validation is apparently to figure which credentials are valid and can be sold. Symantec is calling this the Trojan.Loginck, and as described in a blog post by Symantec researcher Eoin Ward, the database of stolen information includes about 210,000 stolen accounts for World of Warcraft, 60,000 for Aion, 2 million for PlayNC and 16 million for Wayi Entertainment, all of which were being sold online.

Read more on Network World.



I'm amused to see that other also see the Forest Gump Syndrome in action.

http://www.databreaches.net/?p=11866

Stupid is as stupid does: the Lake Ridge Middle School breach

May 26, 2010 by admin

As a follow-up to previous coverage about the stolen Lake Ridge Middle School stolen thumb drive here and here, Andrea McCarren of WUSA-9 provides some additional details that have infuriated parents (emphasis added by me):

The device was taken from a bag in an administrator’s unlocked car in her unlocked garage.

….. On the stolen thumb drive: personal information on more 1,200 students-their names, phone numbers and sensitive information, including whether they have a medical condition.

Dollars to donuts says they don’t report this to HHS even though it has names and medical conditions, because these things are considered education records. There is a huge gap in protection and notification laws here, folks…..


(Related) If true, this is much more serious than a relatively small entity failing to secure data. Did no one learn from TJX and Heartland?

http://thenextweb.com/us/2010/05/25/american-express-has-abysmal-online-security/

American Express Might Not Be Encrypting Your Credit Card Number Online

… Unix man Joe Damato has recently uncovered what appears to be a flagrant abdication of even the most basic rules of security online by American Express.



Are we moving toward a “You have no right to privacy” law?

http://www.pogowasright.org/?p=10555

U.S. lawmakers target pre-paid cellphone anonymity

May 26, 2010 by Dissent

AFP reports:

U.S. lawmakers unveiled a bill Wednesday to enable law enforcement to identify users of pre-paid cell phones, charging that anonymity makes the devices attractive to terrorists, drug kingpins and gangs.

The legislation would require buyers of pre-paid cell phones to show identification when they purchase them and mandate that telephone companies keep the information on file as they do with subscription cell phones.

Read more in the Vancouver Sun.

Michael McAuliff of the NY Daily News also covers the story, commenting:

We suspect most people will like this measure, but the phone companies, libertarians, and immigrant groups may not be pleased. [Note that libertarians and immigrants are not people. Bob]

Oh goody, here we go again with trading a leeetle bit — just a smidgeon — of privacy for security…. or so they’d have us believe.


(Related) The EU seems to be going the other way... Are these the basic right we should see in all Privacy Law?

http://www.pogowasright.org/?p=10581

European Commission adopts draft mandate for EU-US data sharing deal

May 26, 2010 by Dissent

From the European Commission:

The European Commission today adopted a draft mandate to negotiate a personal data protection agreement between the European Union and the United States when cooperating to fight terrorism or crime. The aim is to ensure a high level of protection of personal information like passenger data or financial information that is transferred as part of transatlantic cooperation in criminal matters.

[...]

Under the Commission’s proposal:

- The transfer or processing of personal data by EU or US authorities would only be permitted for specified, explicit and legitimate purposes in the framework of fighting crime and terrorism;

- There would be a right to access one’s personal data and this would be enforceable in courts;

- There would be a right to have one’s personal data corrected or erased if it is found to be inaccurate.

- There would be an individual right of administrative and judicial redress regardless of nationality or place of residence.

Read more on Finextra.


(Related) Further basic rights?

http://www.pogowasright.org/?p=10586

Google, Yahoo and Microsoft Data Retention Practices Run Afoul Of EU Authorities

May 26, 2010 by Dissent

Wendy Davis reports:

European authorities told the three major search engines on Wednesday that their data retention practices violate a rule requiring the deletion of users’ personal information after six months.

The Article 29 Working Party alleged in letters to Google, Yahoo and Microsoft that they don’t adequately anonymize information about search users. “Therefore,” the letters state, “WP29 cannot conclude your company complies with the European data protection directive.”

Read more on MediaPost.


(Related) A solution or window dressing?

http://www.technewsworld.com/story/Facebooks-New-New-Privacy-Settings-Same-Old-70080.html?wlc=1274909278&wlc=1274966179

Facebook's New, New Privacy Settings: Same Old?

… "Facebook made some positive changes today, but only because of political pressure from policymakers and privacy advocates on both sides of the Atlantic," Jeffrey Chester, executive director of the Center of Digital Democracy, told TechNewsWorld.

"Unfortunately, Facebook still refuses to give its users control over the data it collects for its targeted advertising products," Chester pointed out. "The defaults should also be initially set for non-sharing, with the minimization of data collection at the core of Facebook's approach to privacy."

… Jeremy Mishkin, chair of the litigation department of legal firm Montgomery, McCracken, Walker & Rhoads, told TechNewsWorld.

… "I guess Facebook will try to play up what good citizens they are by making controls simpler and hope that people don't realize they're being sold to advertisers," he said.



I see this as smart lawyering. It definitely cuts down the time and expense of evidence gathering and probably gives them a slam dunk in court!

http://torrentfreak.com/law-firm-asks-alleged-file-sharers-to-incriminate-themselves-100526/

Law Firm Asks Alleged File-Sharers To Incriminate Themselves

… Davenport Lyons (DL), the law firm which pioneered the “pay-up-or-else” scheme in the UK, are facing disciplinary proceedings by the Solicitors Regulation Authority on allegations of misconduct. Knowing full well that they cannot make the same mistakes as DL, ACS:Law are trying to be a little more careful in the way they try to force money out of letter recipients.

According to ACS:Law owner Andrew Crossley, his company does not state that the people they send their letters to are guilty of anything, only that their connection has been used to infringe. He also goes on to say that his letters are merely an offer to settle any potential legal case in the future and people aren’t obliged to pay anything.

… Yesterday consumer magazine Which? reported on the questionnaires being sent out by ACS:Law. The law firm sends these out once people have written to them denying they did anything wrong. All they are designed to do is to enable the letter recipient to incriminate themselves or, in some cases, other people.

The advice from Deborah Prince, Which?’s head of legal affairs, is that people are under no obligation to fill in these questionnaires. These bits of paper simply amount to a fishing trip by a law firm clutching at straws in the face of a recipient who won’t be bullied and won’t pay up.



Good news. Bad news. Being number one is good in some ways...

http://www.wired.com/epicenter/2010/05/apple-passes-microsoft/

Apple Passes Microsoft as World’s Largest Tech Company


(Related) But it also triggers the “If they're big, they must be evil” response.

http://www.electronista.com/articles/10/05/25/apple.said.abusing.itunes.lead.to.hurt.amazon/

DoJ investigating Apple for antitrust abuses in music



Death to the RIAA??? Are we seeing “Music Label 2.0” at last? Anyone interested in finding and signing the next 12 year old sensation?

http://media.venturebeat.com/2010/05/26/lady-gaga-and-justin-biebers-managers-myspace-is-dead-we-make-music-videos-for-youtube/

Gaga and Bieber’s managers: MySpace is dead, we make music videos for YouTube

May 26, 2010 Devindra Hardawar

In one of the more intriguing panels to come out of the TechCrunch Disrupt conference, this morning Troy Carter (Lady Gaga’s manager, and Founder & CEO of Coalition Media Group) and Scooter Braun (Justin Bieber’s manager, and Founder & Chair of SB Projects) discussed how the Web was impacting the music industry.

Specifically, they focused on the importance of YouTube, Twitter, and the management of an artist’s online identity.

Carter went as far to say that he and Lady Gaga now develop music videos with YouTube in mind. Traditionally, the music industry aimed for MTV and foreign markets with videos. Now pop stars like Gaga are following in the footsteps of smaller web music video pioneers like OK Go. Braun also reminded the audience of how Bieber started out on YouTube, where his videos hit 55 million views before he signed his record deal.

After Braun discovered Bieber on YouTube, he came up with a strategy of creating more online content to promote the singer. This flew in the face of what the record labels were used to — they believed young singers needed a Disney or Nickelodeon show to become a viable act.

Carter mentioned that Gaga started out on MySpace about four years ago, but Braun was quick to point out that “nobody does MySpace anymore.” Carter is currently eying YouTube star Grayson Chance.

Both managers agreed that Twitter is an important tool, especially for artists that started out on the web. It’s a way to remove the layers between the fans and artist, and Carter believes that the younger generation today wants that unfiltered communication. They don’t want to hear the label speaking on behalf of the artist.

You can find a selective transcript of the chat over at TechCrunch.


(Related) Or is this just a fad? Does Oprah have one?

http://www.nytimes.com/2010/05/27/arts/television/27arts-RECORDCOMPAN_BRF.html

New Role for Degeneres: Record Company Mogul

By BEN SISARIO; Compiled by DAVE ITZKOFF

Published: May 27, 2010

A month after David Letterman said he had started a record company, Ellen DeGeneres has followed him with an announcement that she has created her own label.


(Related) Is this the other extreme? The opposite of “as visible as possible?” Will Rupert make this work, or kill his empire trying?

http://news.slashdot.org/story/10/05/27/0315243/UK-Newspaper-Web-Sites-To-Become-Nearly-Invisible?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

UK Newspaper Websites To Become Nearly Invisible

Posted by samzenpus on Thursday May 27, @04:52AM

"Various websites have tried to make readers pay for access to select parts of their sites. Now, in a bid to counter what he claims is theft of his material, Rupert Murdoch's Times and Sunday Times sites will become essentially invisible to web users. Except for their home pages, no stories will show up on Google. Starting in late June, Google and other search engines will be prevented from indexing and linking to stories. Registered users will still get free access until the cut off date."



Just to show my Math students that there are jobs waiting for them if they can get past their fear of fractions...

http://science.slashdot.org/story/10/05/27/0258245/Sudden-Demand-For-Logicians-On-Wall-Street?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Sudden Demand For Logicians On Wall Street

Posted by samzenpus on Thursday May 27, @01:46AM

"In an unexpected development for the depressed market for mathematical logicians, Wall Street has begun quietly and aggressively recruiting proof theorists and recursion theorists for their expertise in applying ordinal notations and ordinal collapsing functions to high-frequency algorithmic trading. [See! Simple! Bob] Ordinal notations, which specify sequences of ordinal numbers of ever increasing complexity, are being used by elite trading operations to parameterize families of trading strategies of breathtaking sophistication. The monetary advantage of the current strategy is rapidly exhausted after a lifetime of approximately four seconds — an eternity for a machine, but barely enough time for a human to begin to comprehend what happened. The algorithm then switches to another trading strategy of higher ordinal rank, and uses this for a few seconds on one or more electronic exchanges, and so on, while opponent algorithms attempt the same maneuvers, risking billions of dollars in the process." [Don't forget, I want a percentage! Bob]



This is for my Criminal Justice students – kind of like a “build a picture of your suspect” kit. WARNING: Be real careful of caricatures of your favorite professor, at least until I turn in your grades!

http://www.makeuseof.com/dir/caricaturemaker-caricature-faces

CaricatureMaker: Create Funny Caricatures Faces Online

www.digibody.com/avatar-maker/index.php

Similar sites: MrPicassoHead, PimpTheFace, PsykoPaint and FlashPaint.



Some inspiration for my Small Business Management students?

http://www.entrepreneur.com/magazine/entrepreneur/2010/june/206722.html

Entrepreneur's Annual 100 Brilliant Ideas



Bob's rant on North Korea – How will the US respond? It depends on who does the reporting, I guess.

http://theweek.com/article/index/203359/how-to-avert-a-new-korean-war-4-suggestions

4 strategies to avert a new Korean War

Kim Jong Il is telling his troops to prepare for battle as tensions escalate over the sinking of a South Korean warship. What now?

posted on May 26, 2010, at 12:42 PM

Keep up the pressure and hope for a coup: The population in the North is starving and the military is likely on the edge of revolt, says Ed Morrissey in Hot Air. Kim Jong Il is hoping that the U.S. "will come riding to rescue" with food aid to ease the desperate situation. It's tricky balance and at some point Obama will probably have to do just that — but if he can steel his resolve and hold out long enough, the North Korean military "may just decide that [Kim's] not worth the trouble any longer" and get rid of him. Here's hoping... [But, Kim Joun Un is only in his 20s. Will the Military support him or use him? Bob]

"North Korea severs ties, communications with South"

Launch a preemptive strike: The worst-case scenario is that the North will lob artillery shells into Seoul with guns positioned near the border, says Richard Halloran in RealClearPolitics. The U.S. and South Korea should take them out in a three-pronged "surprise attack" using B-1 bombers, sea-launched guided missiles, and artillery shelling. That will remove the biggest threat, and "shock the poorly trained North Korean Army into standing down."

"War of words with North Korea"

Make sure Kim knows the score: If there's one thing that Kim Jong Il needs to be aware of, it's that the South will answer military action in kind next time, says Bill Powell in Time. Knowing this ought to go a long way toward keeping him in line, since a "hot war" would certainly mean the end of his regime. Unfortunately, the North has been cutting off even the meager lines of communication that exist between the countries, so it's hard to be sure he actually knows it. The solution? China needs step up and forcefully convey the message to him.

"War in the Korean Peninsula: Thinking the unthinkable"

Let them get away with it, as usual: "The only government with the power to squeeze North Korea where it hurts is China," its biggest trading partner, says Richard Lloyd Parry in the London Times. But China doesn't seem interested in doing much squeezing. The only other viable option is to get behind a United Nations Security Council resolution condemning North Korea, and trumpet the sternness and significance" of the rebuke. Sure, it's only theater — but hopefully it will provide some cover for the West's "impotence" in this situation.

"Analysis: North Korea will get away with this outrage — again"


(Related) The AP is for peace (Option 4?)

http://www.arkansasonline.com/news/2010/may/26/clinton-offers-olive-branch-north-korea-expels-sou/

Clinton offers olive branch as North Korea expels South Koreans

By The Associated Press

There is an opportunity here for the North Koreans to see that their behavior is unacceptable,” Clinton said in Seoul on Wednesday after meeting with Foreign Minister Yu Myung-hwan. “They need to look internally to see what they could do to improve the standing of their own people and provide a different future.”


(Related) The US seems to be hoping for Option 1. I think that can only lead to chaos…

http://www.kwtx.com/nationalnews/headlines/94933709.html

Clinton: World Must Act On Sinking Of South Korean Ship

U.S. State Department Website

SEOUL, South Korea (May 26 2010)--U.S. Secretary of State Hillary Rodham Clinton says the world has a duty to respond to sinking of a South Korean warship blamed on North Korea.