Saturday, June 19, 2010

Apparently enough users are concerned with Facebook privacy to support a small “fix your privacy settings” industry.

ReclaimPrivacy: Scan Your Facebook For Privacy Issues

Similar sites: Openbook and Zesty Facebook Privacy Checker.

Health care records: You've gotta be nuts to want your shrink's notes.

Ca: Psychologist’s anonymized peer review notes are the personal information of the patient

By Dissent, June 19, 2010 7:26 am

PIPEDA Case Summary #2009-018

A dispute between a patient and her psychologist resulted in the patient requesting access to the personal information held by that psychologist. Suspecting that information was missing, the patient filed a complaint. The results of the investigation led the Assistant Privacy Commissioner to contemplate the question of what qualifies as truly anonymous data and what can be linked back to an identifiable individual.

The investigation established that a psychologist had not given the complainant access to her “peer review” notes. These notes, which the psychologist used to consult with her peers (she was seeking advice on dealing with the patient), did not name the complainant but did concern the particulars of her case. The psychologist was of the view that the notes did not contain sufficient information to identify the complainant to anyone receiving the information. As the psychologist considered them “anonymized”, she believed that the notes were not the complainant’s personal information and that the complainant had no right of access to them.

Read more on the Privacy Commissioner of Canada’s web site.

Where did you learn to sniff drugs, Mr. Fido?”

Defendant has burden of showing drug dog is not qualified [Wrong!]

June 18, 2010 by Dissent

John Wesley Hall, Jr. writes:

The CI was corroborated in significant part, and the CI had a good track record, so the stop was justified by that and the fact the registration expired. A drug dog was used on the vehicle, and the defendant has the burden of showing the drug dog was unqualified. United States v. Nguyen, 2010 U.S. Dist. LEXIS 59455 (D. Utah June 15, 2010).*

Note: This is just so fundamentally wrong, and I am shocked, shocked that a judge can still be that obtuse in 2010. (See this post from May on the same issue where a federal judge granted a motion to reconsider after applying the wrong burden of proof at the government’s request. “I’m from the government, and I’m here to help you.”)

Let me say it again for the Fourth Amendment impaired in the judiciary and government:

Read more of John’s discussion of this issue on

An immediate measure of “what's important” or “what's Amusing?”

Lakers Victory Sets Twitter All-Time Record With 3,085 Tweets Per Second

Twitter has been seeing record numbers of engagement thanks to the World Cup games in South Africa and as a result the network has been going through significant downtime.

… These goals had the highest Tweets-per-second (TPS) count in the 30 seconds after a goal was scored: Japan scores against Cameroon on June 14 in their 1-0 victory (2,940 TPS), Brazil scores their first goal against North Korea in their 2-1 June 14 victory (2,928 TPS) and Mexico ties South Africa in their June 11 game (2,704 TPS).

These numbers from the World Cup were all time records until last night. It appears that basketball fans may be the most voracious Tweets of all because last night’s Lakers win in the deciding game of the NBA Championship set an Twitter all-time record. The Lakers victory generated 3,085 TPS as the game ended. On an average day, Twitter sees about 750 TPS and 65 million total Tweets a day.

(Related) There are ever more Twits...

Latest comScore Stats Show Twitter Growth Is Still Strong

… According to comScore’s numbers Twitter grew from 83.8M unique vistors in April to 90.2M in May worldwide — an increase of 7.6%. By comparison, there was 5.5% growth between March, when Twitter had 79.4M, and April’s 83.8M. To give some perspective, a year ago comScore showed that Twitter had 37.3M million uniques.

Local firm does well...

Lijit Proves Search Company Really Means Ad Company – Takes $6 Million Series D

Colorado startup Lijit is best known for providing websites with really good search. And it does search well – sites from Fred Wilson’s blog to ICanHasCheezburger use it.

Yep, it has a future...

June 18, 2010

Pew Report: The future of cloud computing

The future of cloud computing, by Janna Anderson, Lee Rainie, June 11, 2010

  • "Technology experts and stakeholders say they expect they will ‘live mostly in the cloud’ in 2020 and not on the desktop, working mostly through cyberspace-based applications accessed through networked devices. This will substantially advance mobile connectivity through smartphones and other internet appliances. Many say there will be a cloud-desktop hybrid. Still, cloud computing has many difficult hurdles to overcome, including concerns tied to the availability of broadband spectrum, the ability of diverse systems to work together, security, privacy, and quality of service."

Think of it as a “students translator”

OpenDictionary: Find Definitions For Recently Coined Words & Phrases

[One example:

moblivious adjective the state of being oblivious whilst using your mobile device when, for example, walking or driving

For my Website students

PicPick Screen Capture & Image Editor – A Good Thing In A Small Package

. In brief, PicPick includes a basic image editor, color picker, color palette, screen tools like a screen magnifier, screen ruler, protractor, and last but not least, a whiteboard.

You can copy the installed folder and carry it around on your pen drive. PicPick sits on the System Tray and waits for a call to action.

You can put up a photo in full screen display and use the whiteboard markers to support your short speech. And you can save it just like a screen capture.

Friday, June 18, 2010

So... The old software is still on the student laptops?

LMSD approves new computer software

… This summer the district will begin replacing the LANrev system in thousands of computers with Casper Suite by JAMF Software. The new software will cost the district $28,050 annually and is expected to be in the district computers by the fall as the district continues its one-on-one computer program.

Board President David Ebby said the Casper Suite program will allow the district to continue to have the ability to upgrade the computers in the field as needed but it does not contain any of tracking features that have brought the district into a federal lawsuit.

How to shift the blame. Step 1: Find a victim

Computer network breach at Virginia Beach Schools

June 18, 2010 by admin

From WVEC/13 News:

A computer network security breach on May 6th allowed a student access to confidential student information. School officials say that a glitch [Translation: we screwed up. Bob] in the system allowed the access, and it’s been fixed.

Officials say the student accessed names, addresses, birthdays, social security numbers and more, all sitting at a library computer at Ocean Lakes High School.

The school says that the student did not hack into the computer, but was able to look at temporary files that should have been secure using his student ID.


The student was only caught when he tried to print the information.

Student information at 22 schools was compromised, and though officials aren’t sure why the student wanted the information, they sent a letter home to parents urging them to monitor their children’s credit reports.

Because no hacking was involved the student will not face felony charges. Police are looking into misdemeanor charges.

Misdemeanor charges? They left data exposed and they’re thinking about charging the student?

A listing of the 22 schools and a copy of the letter to parents has been posted to Virginia Beach City Public Schools web site. I noticed that the letter to parents describes the student as having engaged in unauthorized access. Were the files marked “authorized personnel only” or was a password required that he worked around? I suspect not. The letter does not inform the parents that it was a glitch in the school system’s security that seemingly allowed the students to access the sensitive information without hacking.

I hope it was at least an unmarked car...

UK: Confidential papers stolen from policeman’s car

June 18, 2010 by admin

Police have fallen foul of the Data Protection Act after confidential paperwork was stolen from the boot of an officer’s car.

The force has now been forced to take remedial action after it emerged the officer did not have a safe at his house and did not store the documents in his secure briefcase.

A member of the public found the paperwork dumped in the street the next day and passed them on to a local police station.


Assistant Chief Constable Allyn Thomas said : “An officer made a mistake by leaving confidential documents in a locked briefcase that was stolen from the secure boot [Clearly not secure... Bob] of his car. He has been the subject of disciplinary action and has received further training regarding data protection.

Read more on Kent News.

This indicates something, but I'm not sure what. It looks like someone trying to promote a music video. Perhaps it is the political equivalent?

Utah Attorney General Mark Shurtleff Uses Twitter To Announce Execution

A sign of the times, although many may find it distasteful, or much worse: Utah Attorney General Mark Shurtleff used a mobile Twitter client to send out a tweet announcing the impending execution by firing squad of convicted murderer Ronnie Lee Gardner.

If you tell your employees they have no privacy when using company equipment, you're free to search.

SCOTUS holds that search of Quon’s text messages was not unreasonable (update3)

June 17, 2010 by Dissent

The Supreme Court has issued its opinion in City of Ontario v. Quon (previous coverage here).

The opinion was written by Justice Kennedy. Erin Miller of SCOTUSblog writes that the court held that

the search of the police officer’s text messages to his colleagues and to a woman with whom he was having an affair was reasonable, and therefore the officer’s 4th Amendment rights were not violated. The opinion notes that the case “touches issues of far-reaching significance,” but adds that the case could be resolved simply by apply several principles on when a search is or is not reasonable.

Before considering the reasonableness of the search, the court considered whether Quon had any reasonable expectation of privacy and concluded that he didn’t:

Before turning to the reasonableness of the search, it is instructive to note the parties’ disagreement over whether Quon had a reasonable expectation of privacy. The record does establish that OPD, at the outset, made it clear that pager messages were not considered private. The City’s Computer Policy stated that “[u]sers should have no expectation of privacy or confidentiality when using” City computers.

One of the issues that had been raised in discussing the case had to do with the privacy expectations of those who exchanged text messages with Quon, i.e., even if Quon didn’t have a reasonable expectation, did they? The court notes that the third parties did not raise the issue in a way that required the court to address it:

Petitioners and respondents disagree whether a sender of a text message can have a reasonable expectation of privacy in a message he knowingly sends to someone’s employer-provided pager. It is not necessary to resolve this question in order to dispose of the case, however. Respondents argue that because “the search was unreasonable as to Sergeant Quon, it was also unreasonable as to his correspondents.” They make no corollary argument that the search, if reasonable as to Quon, could nonetheless be unreasonable as to Quon’s correspondents. …. In light of this litigating position and the Court’s conclusion that the search was reasonable as to Jeff Quon, it necessarily follows that these other respondents cannot prevail.

I expect to see a lot of commentary from legal scholars on this opinion and will add links to their commentary to this post as I see them.

Update 1: Lyle Denniston has some preliminary comments on the opinion over on SCOTUSblog.

Update 2: More coverage:

Adam Liptak of the NY Times: Justices Allow Search of Work-Issued Pager;

David G. Savage in the L.A. Times: Justices rule in favor of California police chief who read employee’s texts;

W. Scott Blackmer on InformationLawGroup: Quon: US Supreme Court Rules Against Privacy on Employer-Issued Devices

Update 3:

Kevin Bankston of EFF also sees some hopeful signs in the decision: Hopeful Signs in Supreme Court’s New Text Messaging Privacy Decision, City of Ontario v. Quon.

Tony Mauro of National Law Journal covers the decision: Supreme Court Allows Search of Employee’s City-Owned Pager. even if I'm not specifically communicating with someone in Florida, I could be sued for calling their Supreme Court a bunch of inbred, ignorant, redneck, cocaine snorting fools? How sad!

Nonresidents can be sued over Florida Internet posts

June 17, 2010 by Dissent

The Associated Press reports:

Nonresidents can be sued for defamation under Florida law over their Internet postings if that information is accessible and accessed in Florida, the state Supreme Court ruled today. That applies even to bloggers such as Tabatha Marshall, who lives in Washington State and has no ties to Florida other than taking a vacation in the Sunshine State.

Previous rulings have determined phone calls and e-mails constitute “electronic communications into Florida,” but this is the first time a court has included blogs and other website postings.


Intriguing. The hash values (not the image itself) is matched to flag child porn. A match should result in the uploader at least coming under investigation. But it assumes that the image has been identified previously – 8,000 images is trivial compared to all the images on the Internet. So it won't be able to flag new images, and we will need to rely on the database to properly identify and hash child porn. How could this be challenged? Is a “hit” and automatic arrest and conviction?

N.Y. attorney general tackles child porn on social networks

The office of New York attorney general Andrew Cuomo has spearheaded the creation of a database of "digital fingerprints" to flag child pornography, an announcement Thursday explained. With the hash values of over 8,000 known child-porn images stored in the database, Cuomo said that he hopes its intended clients--social-networking, file-sharing, and photo storage sites--will start to use it "immediately."

… Here's how it works: The collection of "digital fingerprints," compiled through law enforcement efforts over the years, can be used as a filter by a partner social network so that when a photo is uploaded it can be checked against the contents of the database. If there's a match, the photo is not permitted to be uploaded. Use of the database is also available to law enforcement authorities, the announcement noted.

At least, give yourself a chance to be secure.

Encrypt the Web with the HTTPS Everywhere Firefox Extension

June 18, 2010 by Dissent

Peter Eckersley of EFF writes:

Today EFF and the Tor Project are launching a public beta of a new Firefox extension called HTTPS Everywhere.


Firefox users can install HTTPS Everywhere by following this link.

As always, even if you’re at an HTTPS page, remember that unless Firefox displays a colored address bar and an unbroken lock icon in the bottom-right corner, the page is not completely encrypted and you may still be vulnerable to various forms of eavesdropping or hacking (in many cases, HTTPS Everywhere can’t prevent this because sites incorporate insecure third-party content).

For my Website and Presentations class - Creating Elegant Slideshows

Slideshow Box is an application that can be used in order to create Flash and HTML photo slideshow galleries. The whole system revolves around different templates that effectively turn the whole process into something that requires no coding or programming experience at all.

,,, It is all arranged by clicking your mouse here and there - you choose the files to be displayed, the order in which they will be featured, the intervals…

For my geeks...

How To Record Skype Video Calls For Free With Vodburner


Build Your Own Tablet for $400

Double ditto (Video explains how)

Geeks join crusade to kill grating vuvuzela

Thursday, June 17, 2010

Local: Interesting that someone gets it right! But then, Interior has been answering very pointed security questions from the DC Court since the Bush I Administration, over royalty payments to native Americans,

Interior loses CD with personal data for 7,500 federal employees

June 16, 2010 by admin

Alice Lipowicz reports:

A compact disc that contains personally identifiable information for about 7,500 federal employees has been reported lost by the Interior Department’s shared services center.

The incident occurred on or about May 26, when a procurement specialist at Interior’s National Business Center in Denver reported that the CD could not be located. The disc was sent to the business center by a third-party service provider, according to a June 10 news release.

The CD has not been found, Terri Raines, a spokeswoman for the National Business Center, said today.

The data on the CD was encrypted and password-protected, and was used to support billings from the vendor, Raines said. The disc was presumed to be lost in the center’s secured, restricted-access area, she added.

Read more on FCW. It seems that even though the data were encrypted, they are notifying individuals.

Gee, some of these sites may have security problems. Who knew!

Massive keylogger cache posted to

June 16, 2010 by admin

Steve Ragan reports:

Details for thousands of accounts, from Facebook to PayPal, have surfaced over the weekend on The details, which come from keylogging software, appear to have been dumped automatically to the site based on observations from BitDefender, who tipped The Tech Herald off to their existence on Friday.

Along with usernames and passwords, which are expected, the user’s browser details, computer name, and IP address are included with several reports.

Read more on Tech Herald. Also see the post on MalwareCity.

For my Ethical Hacking class. How can you tell which applications are growing (and at what rate) or which fail frequently unless you record the activity?

Employee monitoring: When IT is asked to spy

Tam Harbert reports:

Michael Workman, an associate professor at the Florida Institute of Technology’s Nathan M. Bisk College of Business who studies IT security and behavior at corporations, estimates that monitoring responsibilities take up at least 20% of the average IT manager’s time. [Very unlikely, unless they are reviewing logs manually. Bob]

Yet most IT professionals never expected they’d be asked to police their colleagues and co-workers in quite this way. How do they feel about this growing responsibility?

Workman says he sees a split among tech workers. Those who specialize in security issues feel that it’s a valid part of IT’s job. [Just like quality insprctions in manufacturing. Bob] But those who have more of a generalist’s role, such as network administrators, often don’t like it. [Fire them! Bob]

Computerworld went looking for IT managers who would share their experiences and attitudes, and found a wide variety of viewpoints, ranging from discomfort at having to “babysit” employees to righteous beliefs about “protecting the integrity of the system.” Read on for their stories.

Read more on Computerworld.


DePaul University To Offer Degree In Predictive Analysis

Posted by samzenpus on Thursday June 17, @09:22AM

"The Chicago-based DePaul University will offer what it says is the nation's first master's degree in predictive analysis, the school announced on Wednesday in conjunction with IBM, which will provide resources for the program. 'We realized there was a need to create a program that prepared students in careers in data analytics and business intelligence,' said Raffaella Settimi, an associate professor at DePaul's College of Computing and Digital Media, who helped craft the program. 'A lot of the professionals who work in these fields have a variety of backgrounds, but there really isn't a program dedicated to data analytics,' Settimi said."

We call this the “Please sue me!” strategy.

HP and Yahoo To Spam Your Printer

Posted by samzenpus on Wednesday June 16, @10:35PM

"As many suspected when HP announced its web-connected printer, it didn't take long for the company to announce it will send 'targeted' advertisements to your new printer. So you'll get spammed, and you'll pay for the ink to print it. On the bright side, the FCC forbids unsolicited fax ads, so this will probably get HP on a collision course with the Feds."

I told you this would keep growing...

Google Wi-Fi Data Collection Discussed by 30 Attorneys General

Karen Freifeld and Joel Rosenblatt report:

Google Inc.’s collection of data via Wi-Fi networks was the subject of a conference call among law enforcement officials from 30 U.S. states, according to Connecticut Attorney General Richard Blumenthal.

“We’re looking to establish where, when, why, for how long and for what purpose there was this collection of information on wireless networks,” Blumenthal said yesterday in an interview. The call included representatives of the states’ attorneys general.


The U.S. Federal Trade Commission said last month that it is reviewing Google’s data gathering. An Oregon judge has ordered the company turn over similar data collected in that state, including any e-mails, files or digital phone records, according to court documents.

Also this month, Google said it was turning over to regulators in Germany, France and Spain data it mistakenly collected from unsecured Wi-Fi networks.

Read more on Bloomberg.

(Related) Interesting idea. Might be fun to see what the courts have recognized as true (admissible) for each technology.

June 16, 2010

Privacy International Launches System to Shed Light on Controversial Technologies

EPIC: "International watchdog Privacy International has announced the launch of a new website for bringing transparency to "technical mysteries" behind controversial systems. Cracking the Black Box identifies key questions regarding mysterious technologies and asks experts, whistleblowers, and other concerned parties to "help crack the box" by anonymously contributing ideas and input. The organization responsible for the technology in question is then invited to provide an official response. The first two issues addressed on the PI site are the Google Wi-Fi controversy and the EU proposal to retain search data."

Is this where we are heading? Won't the Lower Merion School District be happy! “Winston, You were supposed to read “1984,” but we watched you read the Cliff Notes.”

OR Supreme Court ok’s policy to ease searches of students

Rachel Cheeseman reports:

The Oregon State Supreme Court ruled that warrantless searches of students in public schools by officials need only “reasonable suspicion” rather than “probable cause,” making it easier for school officials to search property of students.

The opinion of the Court, released June 10, stated that the Article I Section 9 rights of the Rex Putnam High School student had not been violated when David Pogel, a teacher at Rex Putnam, reached into the student’s pocket and removed the contraband inside.

Read more on Oregon Politico.

Comment: This is really a terrible decision in terms of basically giving students less privacy protection and schools more authority to conduct warrantless searches. It also opens the door to many more such searches and expansion of schools’ ability to search students for violations of school rules that have nothing to do with imminent danger or safety issues.

Maybe when they teach the Constitution in Oregon, they could save valuable time and just skip the Fourth Amendment because the students don’t get its protection?

The made the change because it would be easier to remember – and never considered rethinking their security. Typical!

OH: Treasurer’s site exposes taxpayers’ information to hackers

June 16, 2010 by admin

Barbara Carmen reports:

Franklin County property owners paying taxes online before Monday’s deadline might have innocently allowed thieves trolling cyberspace to snag checking-account or credit-card numbers.

Computer experts installed safeguards in 2001 when the county adopted a second Web address, one thought to be more memorable. But many people were familiar with the old address, which still pops up among the top choices on Yahoo and Google searches. So the county kept that one live, too.

Residents who use the newer address,, to pay 2009 property taxes will see the same Web pages as those using the original URL,

Only the newer one, however, has a secure connection for paying bills. The county saved money by buying a single, umbrella certification for the newer address.

Read more in the Columbus Dispatch.

Makes me ask how thorough their security testing is...

AT&T hit by another data breach

June 16, 2010 by admin

AT&T customers logging into their accounts to pre-order the Apple iPhone 4 reported that they were given access to the account information of other customers.

Despite entering their own usernames and passwords, the AT&T system would take them to another user’s account, according to gadget blog Gizmodo, which broke the news.

Some users said when they refreshed the web page, the site returned the correct account information.

AT&T said told Gizmodo that it could not replicate the problem but noted that reports of the problem indicated some data, such as social security numbers and credit card numbers, was not disclosed.

Read more on InfoSecurity Magazine.

Gizmodo is all over this one, with a possible explanation offered by an unnamed AT&T insider about a weekend update that may be the source of the problem.

For my Statistics class. There are no reliable statistics – deal with it! (The annual wiretap report was one of my surveillance touchstones.)

DOJ’s surveillance reporting failure

Chris Soghoian writes:

In both 2004, and 2009, the US Department of Justice provided Congress with a “document dump”, covering 5 years of Pen Register and Trap & Trace surveillance reports. Although the law clearly requires the Attorney General to submit annual reports to Congress, DOJ has not done so, nor has it provided any reason for its repeated failure to submit the reports to Congress in a timely manner, as the law requires.


Based on 10 years of repeated failures, it seems clear that the Department of Justice is unable to supply Congress with annual reports for pen register and trap & trace surveillance. As such, I think it is time for Congress to take a serious look at this problem, and consider shifting the responsibility for the reporting to the Administrative Office of the U.S. Courts, which has a proven track record of reliably collecting and publicly disseminating similar statistics regarding wiretap orders.

Read more on Slight Paranoia, where Chris includes some surveillance statistics, drawn from an upcoming law review article.

One wonders why Congress continues to permit the Department of Justice to ignore its obligation [because they didn't really care? Bob] to provide annual reports on time. Chris suggests assigning responsibility to another agency, but in the alternative, if Congress were firmer that DOJ would not get some of its funding until it turned in its required paperwork on this, perhaps the DOJ would manage to do what it is supposed to do.

Then too, if we actually had a Privacy and Civil Liberties Oversight Board that had anyone on it….. but the Board continues to remain empty under Obama’s administration.

(Related) Another flaw in the statistics.

The Tie Between ID Theft & Illegal Immigration

June 16, 2010 by admin

Sarah Buduson reports on the relationship between ID theft and illegal immigration. What I particularly like about this piece is comments from Mark Pribish pointing out that although such cases are counted as ID theft, they’re not really ID theft and are (just) employment fraud. Of course, even employment fraud as opposed to cases where identity info is stolen and misused can have a serious impact on the person who’s SSN has been fraudulently used for employment, but I’m glad to see the distinction being made.

Valley identity theft expert said there’s a strong correlation between high rates of ID theft and the numbers of illegal immigrants in a state.

The states with the highest rates of identity theft complaints are also states with “illegal immigration issues,” according to Mark Pribish, an identity theft expert who works for Merchants Information Solutions.

“In those states,” said Pribish, “You have a lot of illegal immigrants filling out employment numbers with nine random numbers of where a Social Security number is supposed to be.

“The Federal Trade Commission counts it as an identity theft event, so even though an actual ID theft event did not take place,” he said. “In reality, it’s an employment fraud event. You have misrepresentation on an employee application.”

In 2009, the states with the highest rates of identity theft complaints were Florida, Arizona, Texas, California and Nevada, according to the Federal Trade Commission’s website.

“It does skew the statistic on how many ID thefts are taking place,” said Pribish.

Read more on KPHO.

Our negotiators are better?

EU plan to share bank data with US is ‘wholly unbalanced’, says expert

The European Commission has agreed with the US the terms on which it will allow that country’s authorities access to the banking details of EU citizens. The agreement must be approved by the European Parliament and Council before coming into force.


Chris Pounder, director of Amberhawk Training and formerly of Pinsent Masons, the law firm behind OUT-LAW.COM, disagreed. In a blog post, he said that that requirement is no barrier to excessive information transfer. “The Draft Agreement appears to be wholly unbalanced,” he said.

“Article 4 allows the US Treasury to obtain ‘Data’ on request,” he said. “All the Treasury need do is specify the categories of data it wants as being necessary in connection with terrorism, get the formal approval of fellow security officers in Europol, and then the personal data can be transferred. Note there is no judicial warrant needed in relation to requests which could involve considerable amounts of personal data.”

“However, when the EU want data from the USA, Article 10 requires them to identify ‘a person or entity that there is reason to believe has a nexus to terrorism or its financing’. The difference between the two approaches is profound,” said Pounder.


A report worth reading?

June 16, 2010

Rand - Security at what cost? Quantifying trade-offs across liberty, privacy and security

Rand - Security at what cost? Quantifying trade-offs across liberty, privacy and security, by Neil Robinson, Dimitris Potoglou, Chong Woo Kim, Peter Burge, Richard Warnes

  • "The balance between liberty, privacy and security is often polarised around concerns for civil liberties and public safety. To balance these concerns, policymakers need to consider the economic and social consequences of different security options as well as their effectiveness. In particular, they need to know whether individuals are willing to surrender some liberty or privacy in return for security benefits. Research in this domain has been mainly qualitative and as such, simple polling techniques that are likely to lead to unrealistic and unquantifiable responses are not usable for economic analysis. RAND Europe undertook a self-funded initiative to try to understand and quantify the trade-offs that people might make when confronted with real-life choices about privacy, liberty and security. The study used stated preference discrete choice experiments to present respondents with alternative options, each with advantages and disadvantages that they must explicitly trade-off when selecting between options. Respondents could also state where they would prefer the status quo. We examined three scenarios where trade-offs might arise: applying for a passport; traveling on the national rail network; and attending a major public event. Our approach showed that is possible to obtain and quantify the views and preferences of citizens as users of security infrastructure. In particular, stated choice discrete choice experiments provided a refined understanding of the importance people place on a number of factors describing each scenario such as the degree of comfort in providing personal data to obtain a passport or when passing through different types of security checks."

One of those “Well, DUH!!” reports

June 16, 2010

New GAO Reports: Credit and Debit Cards, Cybersecurity, Federal Energy Management, Cost of Major Oil Spills

  • Cybersecurity: Continued Attention Is Needed to Protect Federal Information Systems from Evolving Threats, GAO-10-834T, June 16, 2010

“We will definitely (make it look like we can) protect our infrastructure!” Congress

DHS Geek Squad: No Power, No Plan, Lots of Vacancies

The federal government still sucks at protecting its networks. One big reason why: The agency that’s supposed to tighten up Washington’s information security has neither the authority nor the manpower to respond effectively to the threat of electronic attacks.

Back in 2003, the Department of Homeland Security set up with U.S. Computer Emergency Readiness Team (US-CERT) to spot vulnerabilities in the government’s networks, and coordinate responses when those flaws are exploited. But seven years later, US-CERT is still “without a strategic plan,” DHS Inspector General Richard Skinner tells the House Homeland Security Committee.

Legal stuff, NOT a guide to hacking the iPhone.

iPhone Jailbreak Videos: A Legal Primer and a How-To

Do we have a “Right to Privacy” or a “Right to Balance Privacy against Safeguards?”

E.U. Tries to Balance Terror War and Privacy

James Kanter reports:

The European Commission proposed ways Tuesday to safeguard information used by the authorities to track the finances of terrorism suspects and to ensure that body scanners at European airports do not jeopardize the health or privacy of passengers.

The commission, the European Union’s executive, made the proposals in Strasbourg against a background of mounting concerns in the Union on how to balance protecting privacy with combating terrorism.

Read more in the New York Times.

(Related) If you can't use Behavioral Advertising, go back to the old model.

Website owners lobby against bill

Kim Hart reports:

Dozens of small online publishers descended on Capitol Hill Tuesday to make an appeal to lawmakers, saying proposed privacy regulations could put them out of business.

Owners of websites such as and make their living by selling ads on their sites. They fear advertising revenue will evaporate under regulations proposed by Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.), chairman and ranking member of the House Subcommittee on Communications, Technology and the Internet.

Read more on Politico.

Tanya Forsheit also continues her report on reactions to the proposed legislation on InformationLawGroup.

[From the Politico article:

In a draft version of the bill, Boucher and Stearns want Internet users to give explicit consent before websites can share their personal data with third-party advertisers. Small websites that rely on third-party advertising networks for nearly all of their ads say securing consent from every visitor before showing an ad would be difficult.

The rise of the Internet of Things...

10 Everyday Items Hackers Are Targeting Right Now

(Related) Just wait...

Why Intel Wants To Network Your Clothes Dryer

Posted by Soulskill on Thursday June 17, @10:04AM

"Intel has shown off a working prototype of a small box that, among other things, can monitor your clothes dryer to see how much it's contributing to your power bill. The Intelligent Home Energy Management proof-of-concept device is a small box with an 11.56" OLED touchscreen that is designed to act as an electronic dashboard for monitoring energy use in the home. By equipping devices like home entertainment systems and clothes dryers with wireless networked power adapters, the system can actually report back the power draw for a particular power point. Leave the house, and it can make sure power draining devices like that plasma TV are turned off. It is unlikely the device will enter production (there are apparently only four in existence), however this story about the box shows something we can expect to see in the home of tomorrow. Ultimately, it's not only about saving money, but also reducing load on the electricity grid by removing needless power use."

Another attempt to make Open Source comprehensible...

June 16, 2010

New on What is Open Source?

What is Open Source? - In the past few years, the term open source has been bandied about not just in library-land, but in every industry. When a term is talked about this much, some would say to the point of overuse, people start to think it's a fad. In this and upcoming articles, Nicole C. Engard is here on LLRX to tell you that open source is no fad, and why.

...and sometimes Statistics are just impossible to believe. Especially since Optinet is in the “child protection” business.

Over a Third of the Internet Is Pornographic

Posted by samzenpus on Wednesday June 16, @04:20PM

"Pornography makes up 37% of the total number of web pages online, according to a new study published by Optenet, a SaaS provider. According to the report, which looked at a representative sample of around four million extracted URLs, adult content on the Internet increased by 17% in the first quarter of 2010, as compared to the same period in 2009."

Wednesday, June 16, 2010

No real surprise, but why haven't we heard of more incidents like this?

FBI's Facebook Monitoring Leads To Arrest In England

Posted by timothy on Tuesday June 15, @06:35PM

"The BBC reports that armed police were called to a UK school earlier today after being advised of a potential threat by the FBI. The school stated that the FBI 'raised the alarm after Internet scanning software picked up a suspicious combination of words,' strongly implying that they are carrying out routine, automated surveillance of social networking sites. While in this case it does appear that there may have been a genuine threat, the story nonetheless raises significant privacy concerns."

This isn't new, is it?

June 15, 2010

Several State Attorneys General Announce Probes of Google Wireless Data Collection

  • News release: "Attorney General Richard Blumenthal is asking Google whether its “street view” cars collected personal information transmitted over wireless networks without permission while photographing Connecticut streets and homes. Google has acknowledged that “street view” cars in some locations have intercepted information from unsecured personal WIFI networks. In Europe, notably Ireland, Google admitted intercepting packets of data from unsecured WIFI networks. Private litigation alleges that Google also did so in the United States. Published reports say the captured, private online information may include general web browsing, passwords, personal emails and other data. Blumenthal wrote Google asking the company whether it gathered such data in Connecticut. If it did, the attorney general is demanding that the company tell his office how much and what kind of information it collected, when and where it did so, why, where the data is stored and other information."

  • News release: "Attorney General Chris Koster sent a letter to Google, asking the company to provide details on personal information it may have collected from Missourians in connection with Google's Street View Service. Recent media reports and admissions by the company indicate that as part of Google's effort to collect data for its mapping service Street View, the company may have gained access to residents' communications sent over public Wi-Fi networks."

Amazing how much attention this got on the Web, but nothing I could find in conventional media. Note: Other sources suggest the picture may have been doctored.

Miley Cyrus upskirt shot: Child porn?

… The facts as we know them: On Sunday, Hilton's Twitter account sent out the following message: "If you are easily offended, do NOT click here Oh, Miley! Warning: truly not for the easily offended!" The photo in question has since been yanked down, but the image is allegedly of Cyrus climbing out of a car wearing a dress and no underwear (according to, this is a censored version of the image in question). Now, Hilton has posted upskirt shots before of Britney Spears -- but Cyrus is roughly five months short of her 18th birthday. She's still a minor and it's legally considered child pornography.

Old school, but fun.

Free Morse Code Software To Send & Receive Coded Radio Messages With Your Computer

'cause some of my students have talent!

Easily Learn 3D Modeling With 3DVIA Shape


Easily Identify That Cool Text Font with WhatFontIs

Tuesday, June 15, 2010

Failure to design security into your product – “do it right or do it over.”

AT&T Breach May Be Worse Than Initially Thought

Posted by Soulskill on Monday June 14, @05:47PM

"I'm somewhat of an authority on GSM security, having given presentations on it at Shmoocon (M4V) and CCC (I'm also scheduled to talk about GSM at this year's Defcon). This is my take on the iPad ICCID disclosure — the short version is that (thanks to a bad decision by the US cell companies, not just AT&T) ICCIDs can be trivially converted to IMSIs, and the disclosure of IMSIs leads to some very severe consequences, such as name and phone number disclosure, global tower-level tracking, and making live interception a whole lot easier. My recommendation? AT&T has 114,000 SIM cards to replace and some nasty architectural problems to fix."

Reader tsamsoniw adds that AT&T has criticized the security group responsible for pointing out the flaw, while the group claims they did it 'as a service to our nation.'

Can you hear me now?”

The South Carolina Primary and Voting Machine Fraud

Posted by kdawson on Tuesday June 15, @02:36AM

"South Carolina sure knows how to pick 'em. Alvin Greene is a broke, unemployed guy who is facing a felony obscenity charge. He made no campaign appearances and raised no money, but he is the brand new Democratic Senate nominee from South Carolina. Tom Schaller at does a detailed analysis of how a guy like this wins a primary race, and many of the signs point to voting machine fraud. There seem to have been irregularities on all sides. 'Dr. Mebane performed second-digit Benford's law tests on the precinct returns from the Senate race. ... If votes are added or subtracted from a candidate's total, possibly due to error or fraud, Mebane's test will detect a deviation from this distribution. Results... showed that Rawl's Election Day vote totals depart from the expected distribution at 90% confidence. In other words, the observed vote pattern for Rawl could be expected to occur only about 10% of the time by chance. ... An unusual, non-random pattern in the precinct-level results suggests tampering, or at least machine malfunction, perhaps at the highest level. And Mebane is perhaps the leading expert on this very subject. Along with the anomalies between absentee ballot v. election day ballots..., something smells here.' points out that South Carolina uses ES&S voting machines, which have had strings of problems before; and they have no audit trail."

Failure to design security into your product.

ISP Attempt To Block File-Sharing Ends in Epic Failure

Last week saw French ISP Orange take the opportunity to start providing a service which, at least on the surface, is designed to put the minds of subscribers at rest. For a 2 euro per month payment, Orange is offering a service which “allows you to control the activity of computers connected to your internet line, from downloading ‘illegally’ using peer-to-peer networks.

… “The software communicates with a remote server, a Java servlet actually located on the ip,” he explains.

Nothing too out of the ordinary there – except that all information is not only being transmitted in the clear but all information on that server is public (via, meaning that every user had their IP addresses exposed to the public. But it doesn’t stop there.

Whoever set up the security on the server admin panel didn’t do a very good job. The username was set to ‘admin’ and the password set to ‘admin’ too. This morning that gaping hole was still open.

TorrentFreak is informed that people have accessed the server and have discovered that it’s possible to send malware to anyone using the software which makes a bit of a joke out of Orange when it claims: “The software runs in the background to ensure your safety without disrupting the important tasks that you perform”

e-Law 101 How will this work when everyone is connected to everyone?

Thursday, June 10, 2010

Reversal of Conviction Because Undisclosed MySpace Friendship Between Defendant and Juror

Brian Peterson posts on a fascinating West Virginia Supreme Court of Appeals decision involving the use of social media between a juror and defendant and the issue of disclosure of such connections during voir dire.

… To get the full context of what occurred I recommend reading the full decision. Also, jump over to Brian's blog post to read more of his comments on the decision. I agree with his conclusion, "It's clear that voir dire and jury instructions need to catch up with technology."

Dang! Now I've got to re-write my Ethical Hacking mid-term.

Starbucks Frees Wi-Fi

Posted by kdawson on Monday June 14, @08:06PM

"Free unlimited Wi-Fi is coming to nearly 7,000 company-operated Starbucks stores in the US beginning July 1, Starbucks CEO Howard Schultz said on Monday. Schultz also said that Starbucks is partnering with Yahoo! to debut the Starbucks Digital Network this fall. Starbucks customers will have free unrestricted access to various paid sites and services, such as, as well as other free downloads Starbucks didn't detail. A spokeswoman said the access will be 'unlimited' and 'simplified, one-click.' By comparison, first-time Wi-Fi users in Starbucks stores now get up to two hours free after registering, but then must purchase additional time at the rate of $3.99 for two consecutive hours. That Wi-Fi access is already free to AT&T DSL home customers and AT&T mobile customers, according to the Starbucks website, but the connection process requires up to nine steps. McDonald's added free Wi-Fi to 11,500 locations earlier this year."

Suddenly, we are “professional critics?”

Silicon Valley readies for privacy battle

June 15, 2010 by Dissent

Mike Swift reports:

In the wake of a series of privacy missteps by Google, Facebook and other companies, a growing chorus on Capitol Hill is calling for major online privacy legislation and Silicon Valley companies are girding for the battle.


The interest in Washington is because “professional privacy critics are generating the noise and the calls for legislation,” said Steve DelBianco of NetChoice, a confederation of Internet companies and trade groups. DelBianco sees a cultural conflict between the valley’s innovate-or-die mindset and Washington’s love of the status quo.

Read more in the Mercury News.

Downstream consequences...

Is e-mailing a commenter an invasion of privacy or acceptable blogger behavior?

June 14, 2010 by Dissent

Like many blogs, this one uses a WordPress platform. And like many bloggers using WordPress, I’ve configured it so that when someone tries to submit a comment, I get the submission by e-mail from the blog and can then decide whether to approve it, delete it, or spam it.

But can I then argue that I can e-mail the commenters in reply to their submissions because they e-mailed me first? Believe it or not, that’s how at least one blogger treats comment submissions.

I would argue that commenters submitting comments to blogs are not knowingly e-mailing the blogger [but users should know that once they surrender control of the data (email, bank account number, whatever) it can go anywhere and stays in play forever... Bob] and that the blogger should not be replying to the individual by e-mail unless the commenter has specifically requested a reply by personal e-mail or unless the blog’s stated privacy policy cautions site visitors that if they submit a comment for moderation, the blogger may, at his or her discretion, respond by e-mail.

Why do I mention this now? Because occasionally I hear from people who submitted comments that were critical of the author of another WordPress-based blog and who then found themselves receiving unsolicited and unwelcome e-mails from the blogger. Having been sent examples of the blogger’s unsolicited e-mails, I can understand their distress. They submit a comment that disagrees with the blogger or is critical of the blogger and then find themselves on the receiving end of e-mail from the blogger calling them ignorant, hateful, etc. The blogger reportedly does not post her reply in the Comments section of the blog, and may not even have approved their submission, and now they find themselves in a nasty exchange of e-mails.

I hope that the blogger in question is just uninformed and doesn’t realize that comment submitters using an on-site comment submission form are not directly e-mailing her. But if she does now understand that, will she now respect her site visitors’ privacy by not sending unsolicited e-mail or will she continue to send them verbally abusive e-mails? One individual, who forwarded such e-mails to me, told me that he had to actually change his e-mail address to stop her from e-mailing him. And all because he submitted a comment on her blog that disagreed with something she had said.

But what do others think? Should a blogger ever reply to a comment submission by e-mail? Is it an invasion of privacy? And if you think that there are circumstances when it’s acceptable for a blogger to reply to a comment submission via unsolicited e-mail, under what conditions do you think it’s justified?

This is going to be interesting... I've already had my students download entire textbooks...

E-Reserves Under Fire From Publishers

Posted by Soulskill on Monday June 14, @03:36PM

"Publishers Weekly has a story about a copyright lawsuit lodged against several faculty members and a librarian at Georgia State University. The case, Cambridge University Press, et al. v. Patton et al., involves e-reserves, a practice of making electronic copies of articles available to students. From the article: 'Rather than make multiple physical copies, faculty now scan or download chapters or articles, create a single copy, and place that copy on a server where students can access it (and in some cases print, download, or share). Since the practice relies on fair use (creating a single digital copy, usually from a resource already paid for, for educational purposes), permission generally isn't sought, and thus permission fees aren't paid, making the price right for students strapped by the high cost of tuition and textbooks, as well as for libraries with budgets stretched thinner every year.'"

We can (save money and appease the tree huggers), therefore we must!

Money trumps security in smart meter rollouts, experts say

For my Disaster Recovery class.

Nasa Warns of Potential 'Huge Space Storm' In 2013

Posted by kdawson on Tuesday June 15, @08:15AM

"Senior space agency scientists believe the Earth will be hit with unprecedented levels of magnetic energy from solar flares after the Sun wakes 'from a deep slumber' sometime around 2013. In a new warning, NASA said the super storm could hit like 'a bolt of lightning' and could cause catastrophic consequences for the world's health, emergency services, and national security — unless precautions are taken. Scientists believe damage could extend to everyday items such as home computers, iPods, and sat navs. 'We know it is coming but we don't know how bad it is going to be,' said Dr Richard Fisher, the director of Nasa's Heliophysics division. 'I believe we're on the threshold of a new era in which space weather can be as influential in our daily lives as ordinary terrestrial weather.' Fisher concludes. 'We take this very seriously indeed.'"

For my website students

Monday, June 14, 2010

HTML Helper - 20 HTML Tutorials


5 Extensive JavaScript Code Library Options For Developers

I gotta get me one of these!