Saturday, October 09, 2010

A little advanced notice: Next week, our friends at the Privacy Foundation ( will be announcing a seminar on the “Legal Implications of Internet Advertising” to be held Friday, November 5th. You can contact Diane Bales at the Sturm College of Law at the University of Denver, 303.871.6580 or for more information.

New Class of Malware Will Steal Behavior Patterns

Posted by Soulskill on Friday October 08, @09:32AM

"The information within huge, supposedly anonymized data sets can be used to build a detailed picture of an individual's lifestyle and relationships. This data is hugely valuable, which is why many companies already mine the pattern of links in their data to help them build things like recommender systems. Now a group of computer scientists say it is inevitable that a new class of malware will emerge for stealing this behavioral pattern data from social networks. They've analyzed the types of strategies this malware will use to collect information from a real mobile phone database of 800,000 links between 200,000 phones. They point out that the theft of behavioral data can be much more serious than the theft of other personal information. If somebody steals your credit card or computer password, for example, you can just get another card or change your password, thereby limiting the damage. That can't be done with behavioral data, they say. Who would be willing or able to change their real world pattern of person-to-person relationships, friendships and family ties?"

More on targeting Muslim communities for extra surveillance “to prevent crime.”

UK: The Independent View: surveillance lessons from Birmingham

October 8, 2010 by Dissent

James Elsdon-Baker, an activist with the NO2ID campaign, has a good commentary on the recent review of a poorly conceived, poorly communicated, and even more poorly implemented surveillance plan in Birmingham.

What U.S. readers will find particularly interesting are some of the statistics that he includes. Somewhat mind-boggling, to say the least.

Here’s a snippet from his article:

ANPR [Automated Number Plate Recognition Bob] differs from CCTV in that the information captured by the cameras is processed and stored on a massive centralized database. Although these cameras in a Muslim area are currently not in use (as I write it’s unclear if they will be taken down), there will remain a national network of over 10,000 cameras. Together they have captured over 7,600,000,000 occasions on which the location of people’s vehicles have been automatically logged. This data is held for five years at the National ANPR Data Centre (NADC) that is operated by the National Police Improvement Agency and routinely shared with other countries.

Read more on Liberal Democrat Voice.

Part of a CIO's job is to monitor system capacities and avoid problems like this. What else will they fail to do? NOTE: The previous article mentions 7 Billion records in the UK database.

US Monitoring Database Reaches Limit, Quits Tracking Felons and Parolees

Posted by timothy on Saturday October 09, @04:24AM

"Thousands of US sex offenders, prisoners on parole and other convicts were left unmonitored after an electronic tagging system shut down because of data overload. BI Incorporated, which runs the system, reached its data threshold — more than two billion records — on Tuesday. This left authorities across 49 states unaware of offenders' movement for about 12 hours."

As the astonished submitter asks, "2 billion records?"

[From the article:

Prisons and other corrections agencies were blocked from getting notifications on about 16,000 people...

… In Wisconsin, local police and probation agents held about 140 sex offenders at local jails until the GPS tracking system was restored. [Prevented their release or rounded them up? Neither seems likely. Bob]

The offenders - about 300 in the state, most of them sex offenders - were never aware they were not being tracked, state Department of Corrections spokeswoman Linda Eggert said.

… “In retrospect, we should have been able to catch this” Jock Waldo BI Incorporated spokesman [“Well, DUH! Bob]


Privacy Defense Mounted

October 8, 2010 by Dissent

Julia Angwin and Scott Thurm report:

Eleven of the nation’s largest website operators defended their privacy practices to lawmakers, saying it is impossible for them to monitor all the tracking technologies their sites install on visitors’ computers. [What they actually said was: "It is technically impossible for Yahoo! to be aware of all software or files that may be installed on a user's computer when they visit our site" Bob]

The operators, including Microsoft Corp., Yahoo Inc. and AOL Inc., say they are improving disclosures about online tracking and offering users more ways to protect their privacy. But they say that eliminating tracking is technically difficult and economically impractical, [“Do you know how expensive it is to flip a switch!” Bob] because the targeted advertisements supported by tracking allow the operators to offer free content.

Read more: on WSJ (behind paywall, though)

If I were writing the headline for this, I wouldn’t have called it “Privacy Defense Mounted.” Maybe “Website Operators Claim They Really Have No Idea What They’re Doing.”

Coming soon to a National Health Records system near you!

AU: iPads for Doctors

By Dissent, October 8, 2010

The Australian Privacy Foundation has written to the Victorian Department of Health over reports that 500 iPads are to be provided to graduate doctors and nurses. Noting the potential benefits of such technology, APF honed in on a few key privacy and security and issues.

In a letter signed by Roger Clarke, the group asks Andrew Howard, Chief CIO for the Department of Health, whether the pilot study reportedly being conducted was ever approved by an research ethics review board. It also asks whether there’s been a privacy impact assessment, and:

APF understands that many of the staff involved are academic-clinicians and are staff of both Alfred Health and Monash University. APF further understands that Monash uses Google as its email-provider.

What consideration has been given to the proprietary nature of both the Apple and Google services and data formats, and the data security aspects of the services, in the context of inter-operable information sharing

(Related) A video demoing some of the technology Kaiser Permanente is considering.

Inside the hospital of the future

Think of this as notification that you are already too late.

New Tool Suite Helps Track Privacy Policies

Posted by Soulskill on Friday October 08, @03:10PM

"Forbes reports that The Internet Society announced this week the availability of the Identity Management Policy Audit System, a suite of tools designed to give Internet users a clearer understanding of the online usage policies of the websites they visit. Born out of a collaboration between The Internet Society, the University of Colorado, the Electronic Frontier Foundation, and the Center for Democracy and Technology, the system consists of a free, open-source Firefox plug-in that checks a library of scraped terms of service and privacy policies from several popular websites. If a site changes the fine print of one of its policies, the plug-in notifies the user when they visit the website next. According to Forbes, 'that functionality would help users spot controversial switcheroos in sites' legalese, such as Facebook's change last year that suddenly gave the site the right to use your photos and other content.'"

More on the Aldi skimmers.

Skim Scam: Did Aldi Invite 11-State Coordinated Attacks?

October 8, 2010 by admin

Frank Hayes writes:

When a gang of thieves physically tampers with point-of-sale systems, the tampering is usually a local operation. But that may be changing. Discount grocer Aldi said Friday (Oct. 1) that it has found tampered payment-card readers in stores in 11 states, spread from the east coast to Illinois. The retailer said the tampering was only in a limited number of its 1,100 U.S. stores, and all those stores were clustered near 10 cities—but the stolen data is being cashed out thousands of miles away.

Read more on StorefrontBacktalk. Via @_Florindo_

Reading the full commentary, I started thinking that this sounds very much like we heard in the Hancock Fabrics breach. In that multi-state breach, the chain also seemingly used older pin pads.

Are older pin pads a thief’s best friend?

[From the article:

The retailer won’t say exactly how many stores got the tampered devices, but a spokesperson said that they were found in only a “limited number” of stores, and they were probably placed there during June, July and August. [and no one noticed! Bob]

… And because Aldi only accepts debit cards, not credit cards, at most stores, the card information collected by a skimmer (complete with PIN) would give direct access to a customer’s bank account.

These kind of physical attacks should be much less common than they are, and they would be that much less common if retailers were more meticulous about reviewing their network activity logs, [AMEN! Bob] said QSA-and StorefrontBacktalk PCI Columnist-Walter Conway. “There should be huge red flags in the logs if anyone disconnects a terminal.

Does anyone leave their laptop in their checked baggage?

FAA Reports Heat In Cargo Holds Can Ignite Laptop Batteries

Posted by timothy on Saturday October 09, @01:23AM

"US aviation officials are warning air carriers that new research shows lithium batteries are sensitive to heat and can ignite in-flight if transported in cargo compartments that get too hot. The Federal Aviation Administration also acknowledged publicly for the first time Friday that a United Parcel Service 747-400 plane that crashed in Dubai last month killing both pilots was carrying a large quantity of lithium batteries. Since the early 1990s, there have been dozens of incidents of batteries igniting in flight. But it has not been known what triggered many of the fires. FAA now says recent research has identified heat as the trigger and is offering air carriers advice on how to reduce the risk of fire."

Are we missing something? The EU seems to think this is an early peak at “Weapons of Cyberwar”

EU calls Stuxnet 'paradigm shift' as U.S. responds more mildly

While official U.S. response has been comparatively mild, the European Union's cybersecurity agency says Stuxnet represents a "paradigm shift" in critical infrastructure threats and that current defense philosophies need to be reconsidered.

Again I suspect I'm missing something. The judge seems to be suggesting that everyone will be insured at the same rate and that rate won't cover the payouts. If that is true, then the “Insurance Industry” is already gone, isn't it?

Health insurance mandate upheld

A federal judge in Detroit, in a broad ruling upholding Congress’s power to require all Americans to buy health insurance or pay a penalty, decided Thursday that the mandate is necessary to prevent the “extinction” of the nation’s entire health care insurance market. U.S. District Judge George Caram Steeh said the requirement was well within Congress’s power to regulate commerce among the states. The decision is the first by a federal court to rule directly on the constitutionality of the buy-or-be-penalized provision of the sweeping new health care reform law.

The Obama Administration lost on two arguments it had made to Judge Steeh — that the challengers in the Michigan case had no legal right to sue to stop the insurance mandate, and that their lawsuit in any event was premature. But, after finding that the challengers were properly in court and that a decision was appropriate now, the judge went on to rule that the requirement satisfies the Constitution and dismissed the claims targeting that specific provision of the new law. Thus, the result was a major victory for the Administration.

This is too strange. But if it is a fake, it's a good one.

Woman Uploads Child Porn, Police Raid Her Neighbor’s House…then it Really Gets Strange

Tools & Techniques - A Tool For Drawing On Webpages

Markup is a new collaboration tool that will let you draw on any webpage that you come across, and communicate your ideas to others in a more visual way. Certainly, being able to draw a pattern highlighting where different parts of a design you are should be is a much quicker way to let the rest of your team know what you mean than writing a long email that can be misinterpreted to no end.

Markup is a browser-hosted application. You (and your coworkers) won’t need to download anything on order to use it. All you will have to do is drag and drop the relevant bookmarklet into position. From that point onwards, Markup can be launched by merely clicking on the relevant button.

… And I didn’t mention it above, but you also have a tool for writing text on the page.

Tools & Techniques

10 Awesome Free Tools To Make Infographics

Friday, October 08, 2010

Hey, it's the law!

French ISP Refuses To Send Out Infringement Notices

Posted by timothy on Friday October 08, @02:19AM

"Last month it was clear that French ISPs were not at all happy about the whole three strikes Hadopi process in France. Now that the 'notice' process has started, with Hadopi sending out notices to 10,000 people per day, it's hit a bit of a stumbling block. The French ISP named 'Free' has apparently figured out a bit of a loophole that allows it to not send out notices and protect its subscribers. Specifically, the law requires ISPs to reveal user info to Hadopi, but it does not require them to alert their users. But, the law does say that only users who are alerted by their ISP can be taken to court to be disconnected. In other words, even if Free is handing over user info, so long as it doesn't alert its users (which the law does not mandate), then those users cannot be kicked off the internet via Hadopi."

In the UK they make speeches....

Speeches: “The English Law of Privacy: An Evolving Human Right” – Lord Walker

October 7, 2010 by Dissent

Hugh Tomlinson QC writes:

On 25 August 2010 Supreme Court Justice Lord Walker of Gestingthorpe gave a speech to Anglo-Australasian Lawyers Society at Owen Dixon Chambers, Melbourne on the subject of privacy. His title was “The English Law of Privacy: An Evolving Human Right“. The lecture contains an interesting an useful overview of the current law of privacy, particularly in relation to the media. Lord Walker suggests that, as the law of privacy develops “its origin in the law of confidence will become a historical curiosity” and that we have now reached the point where “invasion of personal privacy” is a separate tort.

Read more on UKSC Blog.

[From the article:

He emphasises the importance of “the discipline of analysing an issue correctly“, considering first the question of interference with Article 8 rights and second that of the justification for that interference.

(Related) In the US, we give “lip service”

White House lies says online investigations, privacy can coexist

October 7, 2010 by Dissent

Aliya Sternstein reports:

Civil liberties and national security are at the core of the White House’s cybersecurity agenda, a senior administration official said late Wednesday, amid concerns the FBI’s desire to wiretap the Internet conflicts with protecting personal information on the Internet.

“We don’t take the position that this is an either-or situation,” the official said during the first week of the 7th annual National Cybersecurity Awareness Month. “Hardening our cybersecurity defenses around critical infrastructure and protecting classified and sensitive information go hand in hand and are easy examples to point to.”

You can read more on NextGov. Personally, I can’t read any more of the government’s bullshit on this. If they’re serious about protecting personal information: WHY IS THE PRIVACY AND CIVIL LIBERTIES OVERSIGHT BOARD STILL SITTING EMPTY?

(Related) In any case, actions speak louder than words.

Breach Notice: The Struggle for Medical Records Security Continues

By Dissent, October 7, 2010

William Pewen, who was involved in drafting the language in ARRA, has an excellent commentary on Health Affairs Blog:

On July 28 the Obama Administration surprised many in the health sector by withdrawing a pending Department of Health and Human Services (HHS) final “breach notification” rulegoverning when consumers must be informed of illicit access or use of their medical records. With this exceptional action, the Administration now has a critical opportunity to correct a rule which undermined congressional efforts to secure medical records. Contrary to the underlying statutory language – which I took the lead in drafting as the senior health advisor to Senator Olympia Snowe (R-ME) – the rule drafted by HHS to implement the statute would have allowed medical providers to bypass notification if they themselves decided that consumers had not been harmed by a breach.

Withdrawal of the rule is a positive step. However, efforts to weaken consumer privacy protections will resume. Industry will once again attempt to block efforts to promote transparency and data security, and support for health information technology (IT) will erode if Americans find Washington unresponsive in protecting their health information.

Read more of his thoughtful commentary on Health Affairs Blog.

Gary Alexander sent me this one. Should be interesting.

Internet Privacy Suits Filed Against Yahoo, Others

A set of potential class actions filed recently in Fulton County, Ga., Superior Court against three Internet powerhouses raises interesting questions about how law enforcement agencies get information about Internet users without their knowledge.

While the suits address the government's ability to see what people do on the Web, their viability may turn on more process-oriented questions: how Georgia subpoenas and warrants are served and where they are valid.

The suits claim that Comcast, Yahoo and Windstream have violated federal wiretap and computer privacy laws by providing information in response to warrants or subpoenas issued by Georgia judges or magistrates, which are then faxed or otherwise relayed to the Internet companies' headquarters outside of Georgia.

"If these were federal warrants, there would be no cause of action," said one of the plaintiffs' attorneys, Joshua A. Millican. "But these are state warrants, and they have no force outside of the state of Georgia."

… The three suits, filed on behalf of two class representatives, charge "willful violations" of the U.S. Stored Communications Act [SCA] and the Wiretap Act by each company.

Each defendant "routinely and unlawfully accepts as valid legal process from law enforcement and other government entities" faxed subpoenas from state grand juries or trial judges, often with instructions not to notify the customer whose account will be searched, the suit said.

"Search warrants signed by state magistrates and other state judges have no force and effect outside of the state of issuance," the suits claim, "and when faxed or sent out of state, said search warrants are not deemed issued by a court of competent jurisdiction."

… In addition to violations of the SCA and Wiretap Act, the four-count complaints also accuse the companies of breach of contract and breach of implied duty of good faith and fair dealing.

… Millican said he has been unable to find any case law that raises the issues his complaints do.

"Both the Wiretap Act and the SCA have a good faith clause -- there's a case out there that says an unsigned warrant was fine -- but again, that's for a federal warrant. But that doesn't apply to a Georgia subpoena being served in California."

Millican said that it would be easy for a local law enforcement agency to comply with the law.

"In the Comcast case," he said, "all it would take is for the Cherokee County sheriff to call a judge in New Jersey and say, 'I've got this person down here I'm investigating, I need a warrant.' Then the marshal up there serves it."

Gee, maybe their strategy isn't to increase privacy... Maybe it's to facilitate Behavioral Advertising. In that context, this make sense.

Irony: Facebook’s New Groups Give Me Less Control, Not More

October 7, 2010 by Dissent

Danny Sullivan writes:

I missed Facebook’s press conference yesterday about the new Facebook Groups feature that promises that you can share comments, photos and other information more tightly among only people you trust. But I learned about the feature firsthand soon enough, when I found myself added to a group without being asked. And that was worrisome.

Robert Scoble had created the group, invited a number of people, and I was flattered to be included. But Facebook should have asked me first, not just let Robert Scoble or anyone put me into a group without permission.

In fact, I was pretty aghast this had happened. This company has time-and-time-again been accused of trying to push people into being less private, giving them less control. Here, yet again it rolls out a feature that suggests better privacy but gets things wrong. Share with only those you “care about the most” and “feel confident about who sees” what you post, the Facebook blog posts pitch us. But groups go wrong from the beginning, by failing to ask if you want to be included.

It gets worse. As best I can tell, once you’re in a group, you can add anyone else to it. I’m pretty sure the rest of the group members aren’t notified when you do this. The group I’m in started with no one, and now it’s up to over 500 people. I wasn’t told when new people were added, nor is there a notification option for this…

Read more on SearchEngineLand.

For my Ethical hackers. Should we create bogus certificates for our machines or would it be more amusing to change the “Master” to indicate that all machines (except ours) are infected?

Microsoft Eyes PC Isolation Ward To Thwart Botnets

Posted by timothy on Thursday October 07, @08:09PM

"In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."

Search the Internet like a librarian?

Thursday, October 7, 2010

Dewey Digger - Explore Knowledge

Dewey Digger is an interesting attempt to catalog the web according to the Dewey Decimal System. To use Dewey Digger just click on a Dewey Decimal category. Then select a topic in that category. Once you've selected a topic Dewey Digger will present you with twenty-seven sources of information. Click any of those sources to see articles, videos, and images on your chosen topic.

Can I have your autograph?

Electronically Sign Your PDF Documents For Free Using Adobe eSignatures

… you can now electronically sign documents, using your email address as verification of identity. Many similar online tools require payment for the service, but the Adobe eSignatures beta is completely free (at least for now).

Understandable statistics on child mortality.

Hans Rosling: The good news of the decade?

Thursday, October 07, 2010

This reads more like vendetta than discipline.

Cancer researcher fights UNC demotion over data breach

October 7, 2010 by admin

Gregory Childress reports that a data breach had significant consequences for a researcher. Because I don’t recall ever seeing such consequences before, I think this is pretty newsworthy:

A UNC cancer researcher is fighting a demotion and pay cut she received after a security breach in the medical study she directs.

Bonnie Yankaskas, a professor in the Department of Radiology and principal investigator of the Carolina Mammography Registry (CMR), was demoted from full professor to associate professor with tenure after one of two servers used by the program was hacked into in 2007, placing the personal data, including Social Security numbers, of more than 100,000 women at risk.

The university also reduced Yankaskas’ salary from $178,000 to $93,000. She remains on faculty and continues to lead the CMR program.

Although the security breach occurred in 2007, it wasn’t discovered until Yankaskas reported a computer problem in 2009.

Yankaskas’ attorney, Raymond Cotton, said Wednesday that it’s unfair to blame his client for the breach. He said the university knew the program’s computer system had security deficiencies as early as 2006 but failed to notify Yankaskas.

“No one told her so she could do anything about it,” Cotton said. “The only person who didn’t know was Bonnie [Yankaskas]. It was gross negligence.”

I can’t remember any other data breach of this kind where a researcher experienced such consequences. Researchers have lost data on laptops or flash drives, databases get hacked, but holding the researcher responsible for this type of breach? I’m surprised.

But university officials said Yankaskas’ role in the security breach rose the level of negligence which warranted her dismissal from the university.

In fact, then-interim provost Bruce Carney sent Yankaskas a letter in October 2009 notifying her of the university intent to dismiss her from the faculty because her role in the security breach “constitutes a neglect of duty.”

Carney also charged that Yankaskas obtained sensitive HIPPA-protected patient data from UNC Hospitals without the proper authority, which also rose to the level of neglect of duty. [But it's negligence on the part of the custodian of the data, not the requester. Bob]

Okay, that’s HIPAA, not HIPPA, but that’s actually a very serious charge and one which is reasonable to hold a researcher accountable for. Not only does a researcher have legal obligations under HIPAA for use of patient data, but there are also obligations to comply with the Institutional Review Board’s terms of approval for a study. In this case, there was reportedly no “clear and convincing evidence” that the researcher had violated any rules. What is not clear from the media coverage is whether the records were supposed to have been anonymized or not. Wake Radiology subsequently withdrew from the study when it discovered that the data were not anonymized. The issue of anonymization should have been addressed during the approval process for the study, and it’s not clear to me whether Wake Radiology knew but wasn’t concerned until after the hack or if there had been a representation that data would be anonymized that was not followed.

The committee said Yankaskas’ “inadequate attention to security” did warrant discipline, but not the dismissal as recommended by Carney.

Was this a university server? If so, the notion that individual researchers should be held accountable for the security of servers holding research/patient data boggles my mind. If the research is conducted under the auspices of the university and is part of their network (and that’s a big “if”), do they not provide security? I can see holding a researcher responsible if the researcher opens holes in the security by installing p2p software, or transfers the data to devices that are not part of the system, but routine use of a server? This could really have an effect on all academic researchers who may start wondering whether they need to include a security consultant/IT in their grant proposals.

On Wednesday, Carney, the university’s permanent provost, said he stands by his recommendation in the wake of the “pervasive neglect” with which Yankaskas handled the program’s computer security.

“Ultimately, the principal investigator has to be responsible,” Carney said.

Yankaskas has appealed the demotion to the UNC Board of Trustees, which could decide the matter next month.

Read the full story in The Herald Sun. This case has the potential to have a lot of repercussions among academic researchers.

If you don't understand laws and regulations, you are likely to under or over react.

Nurse reprimanded over Facebook photo

Managers at Genesys Regional Medical Center reprimanded a nurse for unprofessional behavior, based on a photo that ended up on Facebook, the Flint Journal reports.

The photo, which was taken in the early spring showed another nurse removing a splinter from Cathy Miller in an otherwise empty operating room at the hospital based in Grand Blanc Township, Mich.

Unbeknown to Miller, her coworker posted that photo and others on Facebook.

… "They told me there was a serious investigation going on and that this was something I could lose my job over," Miller told the Flint Journal.

Such an investigation is not uncommon. Twenty percent of companies with at least 1,000 employees have investigated a leak of information to a social network site, according to a survey by the Internet security firm Proofpoint Inc. And 7 percent have fired an employee for violating social network policy.

… The Teamsters 332 union, which represents Genesys nurses, has filed a labor relations charge related to the incident with the National Labor Relations Board. There was no policy against taking a picture in the operating room, Miller said. The nurses were on break, there were no patients in sight and nothing about the photo identified the site as Genesys.

Perhaps there is a market for a “Baby's first mug shot” kit?

Study: 92% of U.S. 2-year-olds have online record

There has been a lot of concern about young people posting too much information about themselves online, but a study commissioned by security company AVG found that 92 percent of U.S. children have some type of online presence by the time they are 2 years old. A third of U.S. mothers posted pictures of newborns, and 34 percent of U.S. moms said they had posted sonograms of their as-yet unborn child.

The study, conducted by Research Now, surveyed 2,200 mothers with young children in the United States, United Kingdom, Germany, France, Italy, Spain, Canada, Australia, New Zealand, and Japan during the week of September 27. American parents, according to the study, are more likely to share baby pictures and information online than parents from other countries in the survey. Seventy-three percent of parents in the United Kingdom, Spain, France, Germany, and Italy said they were willing to share images of their infants.

Something for my “Ethical Hackers?”

Medicare, veterans to get downloadable health info

SAN LEANDRO, Calif.--The U.S. government is adding a new "blue button" to the Medicare and Veterans Affairs Web sites that will allow veterans and seniors on Medicare to download their health records onto their own computers. The program, though live already, is set to be formally unveiled by the White House tomorrow, CNET has learned.

For some time, the government has allowed both Medicare recipients and veterans to view their medical records or claims history, but is only now adding the download option...

… Already, developers have been creating apps that can tie into the Blue Button data, and the Markle Foundation has issued a challenge for developers to create innovative programs that can make use of the information. Microsoft, for example, plans to announce this week that people will be able to import their Blue Button data into its HealthVault personal-record service.

(Related) Oh look, a vulnerability guide.

October 06, 2010

New GAO Reports: Cyberspace Policy, DOD's Electronic Health Record Initiative, Employment of Individuals with Disabilities

  • Cyberspace Policy: Executive Branch Is Making Progress Implementing 2009 Policy Review Recommendations, but Sustained Leadership Is Needed, GAO-11-24, October 06, 2010

  • Information Technology: Opportunities Exist to Improve Management of DOD's Electronic Health Record Initiative, GAO-11-50, October 06, 2010

  • Highlights of a Forum: Participant-Identified Leading Practices That Could Increase the Employment of Individuals with Disabilities in the Federal Workforce, GAO-11-81SP, October 05, 2010

One more for my Ethical Hackers. Remember, you have to secure EVERYTHING

Hacked Voting System Stored Accessible Password, Encryption Key

An internet-based voting system that was hacked last week by researchers at the University of Michigan stored its database username, password and encryption key on a server open to attack.

Alex Halderman, a computer scientist at the university, has detailed the vulnerabilities and hacking techniques his students used to completely control the system last week. The hack allowed them to change votes and program the system to play his school’s fight song “Hail to the Victors” after each voter cast their ballot.

The hack, unnoticed by election officials until researchers notified them, [Perhaps they assumed that all voting machines were from Michigan? Bob] forced election officials to take the system offline and adopt a contingency plan for the November elections.

I wonder how many Chinese students are in US Law Schools?

China Becoming Intellectual Property Powerhouse

Posted by samzenpus on Wednesday October 06, @06:20PM

"A lot of Westerners view China as little more than the world's factory manufacturing anything with little regard to patents, copyrights and trademarks. But it seems as far as patents go, China is moving on up. According to the WIPO, the company that applied for the most patents in 2008 was not an American or Japanese company but China's Huawei Technologies. And China has made astonishing ground recently moving up to third place with 203,257 patent applications behind Japan (500,000) and the United States (390,000). It remains to be seen if these patents applications will come to fruition for China but it is evident that they are focusing on a new image as a leader in research and development. The Korean article concentrates on 2008 but you can find 2009 statistics at the WIPO's report on China along with some statistics breaking down applications by industry."

Expert: ACTA No Longer Gutting Internet Freedom

The United States is caving on the internet section of a proposed international intellectual-property treaty, meaning its one-time quest to globally dictate draconian copyright rules has come to an abrupt halt.

That’s what Michael Geist, an Anti-Counterfeiting Trade Agreement expert at the University of Ottawa, concluded Wednesday after the United States released the latest draft of the proposal (.pdf).

(Related) No doubt RIAA will now add support for the “Border Wall” to their copyright lobbying efforts.

Mexican Senate Votes To Drop Out of ACTA

Posted by samzenpus on Wednesday October 06, @10:01PM

"The Mexican Senate has voted unanimously to drop out of ACTA negotiations, saying that the process has been way too secretive, left out many stakeholders and appears to deny access to knowledge and information. Of course, it's not clear if this "non-binding resolution," actually means much, as the negotiators are not under the Senate's control. At the very least, though, it appears the Mexican Senate is going to fight to keep the country from agreeing to ACTA."

“If you digitize it, they will come.”

New study suggests e-book piracy is on the rise

Last January a company called Attributor conducted its first e-book piracy study. And back in May, I mentioned that study in piece called "Is Pad supercharging e-book piracy?" Well, Attributor has conducted a second study more recently and come up with some interesting data.

The company says its key findings are:

  • 50 percent increase in online searches for pirated downloads throughout the past year

  • 1.5-3 million daily Google queries for pirated e-books

  • 20 percent increase in demand for pirated downloads since the iPad became widely available in mid-May 2010

  • 54 percent increase in pirated e-book demand since August 2009

  • Proliferation of smaller sites that host and supply pirated e-books--a shift from larger sites like Rapidshare dominating the syndication market

  • "Breaking Dawn" by Stephanie Meyer registered the most pirated copy searches throughout the study

  • Widespread international demand, with the largest number of searches during the study originating in the United States (11 percent), India (11 percent) and Mexico (5 percent)

Not much beyond the names of the candidates yet, but this has real potential. The League of Women Voters should do something similar. - Learn Who Is Running For Office

As pitiful as it is, we often are completely ignorant of who is running for office when local elections come around. We might not even be acquainted with the names on the ballot, let alone know about their plans for solving these local issues that beset us all. Picking one out ends up being a very random process. And that shouldn’t be like that under any concept - after all, we are talking about an elected representative.

Someone realized that, and came up with this nice application. Simply put, Ballot Book will let you know the names of those who are running for office in the next local elections, and also what they plan to do in the event they are elected. That is certainly nice, and what is even nicer is that you are also provided with a feed in which you can read what other community members are saying about them.

It's merely another “Tax on the Ignorant” – a cherished American custom.

Best Buy Unapologetic About Charging For PS3 Firmware Updates

Posted by Soulskill on Thursday October 07, @01:12AM

"After discovering that electronics retailer Best Buy was charging ignorant customers $30 for the 'service' of installing updated firmware on PS3s, IndustryGamers got word from the company on its policy. Best Buy sees no problem with charging for this convenience, even though it's something Sony provides to PS3 owners completely free. 'While many gamers can handle firmware upgrades easily on their own, those customers who do want help can get it from Geek Squad, and we continue to evaluate this offering to ensure it meets their needs. The service goes beyond a firmware updates, and includes user account setup, parental control setup and other components,' a representative said."

Wondering what to get yourself for Christmas? With Google TV and one of these devices, you no longer need to move from your computer to your TV. You can become a “multi-tasking couch potato!!”

Google Launches Website With Feature Set For Google TV [News]

Up until now, however, Google hasn’t released much information about their upcoming product, aside from a few small announcements and screenshot releases.

That all changed a few days ago, when Google launched a mini-site detailing the much anticipated Google TV platform. Included with a quick tour, this website reveals a bunch of juicy details about what we can expect to be included with the platform.

Here are the key points illustrated in the tour:

  • Search across every channel, every app, and the entire web, simultaneously.

  • Ability to browse the whole web, not just some of it.

  • Comes with several of your favorite apps, and next year developers can create their own.

  • Use your phone as a remote, including voice search.

  • Customizable home screen with favorite channels, apps and websites.

  • Seamless switching between TV and web, or watch both at the same time.

  • DVR access right from the search bar.

  • Easy to install and works with your current setup.

… Google includes a link to a YouTube video in which they demo the wide variety of apps that will be available on the platform


Logitech’s Revue Product Page Goes Live, Preorder One Now For $299

The device’s minisite just went live ahead of the official unveiling at 3:00 PM EDT today and that’s fine by us. The site itself doesn’t talk all that much about Google TV — at least there isn’t anything here that wasn’t on the Google TV minisite — rather it’s devoted to Logitech’s Google TV offering, the Revue.

(Related) Another, cheaper Computer to TV device.


One for my Statistics students. For their mid-term, I'll have them determine if Colorado has smarter deer of West Virginia has dumber drivers.

Five states where you're most likely to hit a deer this fall

State Farm calculates the chances of a West Virginia driver striking a deer over the next 12 months at 1 in 42. [Colorado is 1 in 366 Bob]

Strange as it seems to some of us, apparently there is a big audience for these sites... Here's my Reader's Digest version of the article.

10 Helpful Resources on the Basics For The Computer Illiterate

In addition to MakeUseOf’s awesome Windows 7 Guide titled “From Newbies to Pros”, I also recommend the following 10 sites for the computer illiterate.

Jan’s Illustrated Computer Literacy 101 Upon first landing on the site I thought it was from the 1990’s. The design is a bit outdated and the some of the graphics are cheesy, but after browsing through the site you’ll see that Jan offers useful instruction that really will teach computers to someone who absolutely has no clue how computers work.

PDF quick reference guide from Custom Guide. ... offers this very useful two-page quick reference for novice computer users.

Computer Basics and Beyond covers basic tips on computer maintenance, Internet browsing, security and more.

Microsoft's Digital Literacy site. three “curriculum” levels – basic, standard and advanced. Each curriculum level provides a few tutorial videos that will walk the user through a list of lessons.

The University of North Carolina at Chapel Hill probably offers one of the best free lists of online PDF instructional material for new computer users

Sandy Berger’s Compu-KISS site covers just about any aspect of computing that you can imagine. Her tutorials are very short, very simple, and offers screenshots to boot.

The Terry Bellavance Resource Centre in Ontario a free online tutorial where you start at the “Introduction” and click “next” – working your way through the illustrated tutorial at your own pace.

Senior’s Guide to Computers a website devoted to providing technical information about computers and the Internet in a manner that older folks will be able to understand.

Computer Help A to Z it’s formatted a bit like one of those websites seeking to sell subscriptions, it’s actually chock full of free tips and articles on basic computer topics.

MS Office website While I’d rarely point any newbie to the Microsoft site for “easy-to-follow” instruction, this site actually has a lot of useful content, like “getting started with…” tutorials for each Office product.

Wednesday, October 06, 2010

Will we soon have enough information to begin analyzing humans like Asimov's PsychoHistory?

Online tracker claims to have data on 8 million Australians

October 5, 2010 by Dissent

More on online tracking, this time from Julian Lee of The Age:

The online behaviour of millions of Australians is to be tracked and auctioned to advertisers by a new generation of internet businesses setting up shop here.

The world’s largest ”data exchange”, the Californian company BlueKai, boasts it already has the computer addresses and ”purchasing intent” of 8 million Australians it knows are in the market for cars, holidays and online shopping.

Read more in The Age. In an earlier story, they provided additional information on specific web sites in terms of how much information is collected.

Here's one more fear. Opting out of the Smart Grid opts you out of grid. No data, no utilities!

Privacy on the Smart Grid

October 5, 2010 by Dissent

Ariel Bleicher writes:

Back in 2007, when the Dutch government announced that all 7 million homes in the Netherlands would be equipped with smart meters by 2013, it anticipated little resistance. After all, who wouldn’t welcome a device that could save both energy and money? But consumers worried that such intelligent monitoring devices, which transmit power-usage information to the utility as frequently as every 15 minutes, would make them vulnerable to thieves, annoying marketers, and police investigations. They spoke out so strongly against these ”espionage meters” that the government made them optional.

A report released this past April by the New York City–based consulting companyAccenture found that the Dutch are hardly alone. Of more than 9000 consumers polled in 17 countries, about one-third said they would be discouraged from using energy-management programs, such as smart metering, if it gave utilities greater access to data about their personal energy use. And in a comprehensive report on smart grid privacy released in September, the National Institute of Standards and Technology (NIST) compiled a list of scenarios that consumers fear if their energy data got into the wrong hands.

Read more on IEEE Spectrum. Via @PrivacyProf.

Not a big deal, just change from wholesale to retail. Your computer will generate 100,000 copies of the paperwork just as easily as the first copy. (Didn't I tell you that the Porn Industry was a leader?)

Porn BitTorrent Lawsuits Run into Serious Problem – Lawsuits Must be Filed Individually

October 5, 2010 by Dissent

Slyck Tom writes:

You know, there’s this funny issue called joinder – which in essence means that additional defendants can be added to a single complaint. This has been a hot button issue in the Far Cry and Steam Experiment lawsuits, where Judge Rosemary Collyer is currently pondering whether to order the US Copyright Group to file each lawsuit independently. Considering that the Far Cry lawsuit currently has over 4,000 defendants clinging to one complaint, a ruling in favor of the John Does could have a detrimental effect on the USCG’s effort to create an alternative revenue stream.

Beside the USCG lawsuits, which mainly focuses on small, independent producers creating mediocre movies (yet wondering why they don’t sell), there is another genre of file-sharing lawsuits against those supposedly sharing adult movies. Following the same playbook as ACS:Law, Gallant Macmillan, and the USCG, a law firm called Steele Law has filed nearly 1,400 lawsuits against suspected porn file-sharers. One of their clients is First Time Videos, LLC, and as luck would have it, they might be the first time losers.

In an order issued on October 1, Judge Ruben Castillo dismissed the case, without prejudice, due to misjoinder. Holy Moses – has precedent been set? Here’s the ruling….

Read more on Slyck.

Wow, that Fifth Amendment thingie turns out to be pretty useful after all. Or maybe not.

UK: The right against self-incrimination is not a right to remain encrypted

October 5, 2010 by Dissent

A teenager has been jailed for 16 weeks after he refused to give police the password to his computer.

Oliver Drage, 19, of Liverpool, was arrested in May 2009 by police tackling child sexual exploitation.

Police seized his computer but could not access material on it as it had a 50-character encryption password.

Drage was convicted of failing to disclose an encryption key in September. He was sentenced at Preston Crown Court on Monday.

Read more on BBC. Apparently, it’s an offense under RIPA to refuse to provide the password. This is not the first case of its kind in the U.K.

In a similar case here, the government convinced a court to order a defendant to provide an unencrypted version of the hard drive. Although civil liberties groups argued that requiring such production implicated Fifth Amendment protections, the judge held that because the defendant had already admitted owning the hard drive and because the government already knew the location of the documents on the drive (if not their precise content), the defendant could be compelled to produce the unencrypted files.

For my Ethical Hackers. Spy like the Big boys

US Marshal Service’s Electronic Surveillance Manual

October 5, 2010 by Dissent

Chris Soghoian writes:

Last week, the FOIA fairy delivered 25 pages of internal rules that outline when and how the US Marshal Service uses electronic surveillance methods. According to the cover letters accompanying the documents, the policies are “obsolete” and that “the office is preparing to rewrite/revise it, which could take 30 days or longer to complete.”

The full document can be downloaded here (pdf)

Read more on Slight Paranoia.

Politicians will never allow this. Ignorant (even technologically ignorant) people make up most of their constituency – why else would they vote for them?

Should ISPs Cut Off Bot-infected Users?

Posted by CmdrTaco on Tuesday October 05, @04:16PM

"There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."

(Related) Do two impossible things before connecting?

Stop. Think. Connect. - New Web safety campaign kicks off

In 2009, President Obama called for the creation of a public awareness program that would focus on cybersecurity. The program created, called Stop. Think. Connect., is supposed to work like the Click It or Ticket campaign, creating an instant brand for Web safety.

… the links below point to the various security resources offered by the Stop. Think. Connect. members.

When we figure out how t make the ads really REALLY annoying, we'll be able to charge even more!

Google Patent Proposes $2 Fee To Skip Commercials

Posted by CmdrTaco on Tuesday October 05, @11:31AM

"A day after Google debuted its new Google TV website, the USPTO issued U.S. Patent No. 7,806,329 to the search giant for its Targeted Video Advertising invention. Among other things, the patent proposes having viewers take 5-10 minutes to 'fill out a consumer survey and perhaps to provide additional information such as a mailing address survey before starting the program' to avoid having to watch 10 minutes of commercials. 'As another alternative,' the patent continues, 'the broadcaster may offer the users an option to pay $2 (such as through a micro-payment system, such as GBuy) to exchange for skipping all commercials.' More from the patent: 'The system may allow a user to skip all of the promotions that they want to skip, but may also require the user to fully watch at least four promotions before the program will continue. Likewise, the system may require the user to follow activities that generate a certain amount of advertising revenue or advertising points (e.g., that may correspond directly or indirectly to advertising revenues) before the program will continue.'"

Who teaches the teachers?

Google Apps Now In A New York State Of Mind

Google sees the adoption of Google Apps at schools and colleges as vital to the growth of the productivity suite; an outlook that Microsoft also seems to emulate as well. The strategy makes sense; not only do educational institutions represent a huge market for Google Apps and other productivity suites, but schools and colleges are where many people get trained, start relying on, and form brand allegiances to productivity apps. Today, New York is the fifth U.S. state to adopt “Google Apps,” joining Oregon, Colorado, Iowa, and Maryland.

… Google Apps for Education, which is used by 8 million students, faculty and staff at educational institutions, is steadily catching up to Microsoft’s education suite, Live@edu, which has 11 million users.

Shows how to encrypt your drive...

The Office Worker’s 101 Guide to a USB Thumb Drive [Download]

Flash drives today are not just about storing your important files: you can use them to run programs and even entire operating systems.

In MakeUseOf’s latest free PDF guide “The Office Workers Guide To A USB Thumb Drive” you will learn the full potential of what you can do with flash drives and what type flash drive is right for you.

Download: The Office Workers Guide To A USB Thumb Drive


Read it online on Scribd