Saturday, November 20, 2010

This goes a long way toward restoring that warm, fuzzy feeling.

Hacked Federal Reserve Network Was Test-only

November 19, 2010 by admin

Robert McMillan reports:

A June 2010 hacking incident that compromised a network at the Federal Reserve Bank of Cleveland happened on a test system and not the bank’s production servers…. According to Gates, the hacker managed to break into a single Fed test PC that was connected to other test computers. “This is a system that is used to test software and applications with fake data and information,” she said. “The incident did not involve our live production system on which we process our work.”

Read more on PC World.

So what was the source of the 400k credit card numbers found in Poo’s possession?

[Yesterday they claimed:

Prosecutors say he hacked into the Federal Reserve Bank of Cleveland's network in June of this year, and compromised at least 10 computers there.

The TSA kerfuffle is generating lots of stories, but unless you plan to fly commercial (and are not an exempt pilot) they are simply more examples of “Security theater” so I'm just going to point you to them without commenting on each.

Bruce Schneier vs. the TSA

Posted by Soulskill on Friday November 19, @05:08PM

"Bruce Schneier has posted a huge recap of the controversy over TSA body scanners, including more information about the lawsuit he joined to ban them. There's too much news to summarize, but it covers everything from Penn Jillette's [Worth reading! Bob] and Dave Barry's grope stories, to Israeli experts who say this isn't needed and hasn't ever stopped a bomb, to the three-year-old girl who was traumatized by being groped and much, much more."

Another reader passed along a related article, which says, "Congressman Ron Paul lashed out at the TSA yesterday and introduced a bill aimed at stopping federal abuse of passengers. Paul’s proposed legislation would pave the way for TSA employees to be sued for feeling up Americans and putting them through unsafe naked body scanners."

[Bruce has his own collection of “news”:

Of course, airport security is an extra-Constitutional area, so there's no clear redress mechanism for those subjected to too-intimate patdowns.

This video provides tips to parents flying with young children. Around 2:50 in, the reporter indicates that you can find out if your child has been pre-selected for secondary, and then recommends requesting "de-selection." That doesn't make sense.

Neither does this story, which says that the TSA will only touch Muslim women in the head and neck area.

Senior Democrats rebuke TSA over screening rules

Small business TSA decisions

This morning I had to have the most unpleasant discussions with my staff concerning my company buying their plane tickets and thus causing them to lose their privacy rights.

I can't help thinking that they will generate (and store?) the same images, but will “cartoonize” them to keep the peasants from revolting.

Report: Stick figures may be used to calm ire surrounding body scanners

They do mention Privacy, in one paragraph on the last page...

November 18, 2010

DHS - Preventing and Defending Against Cyber Attacks November 2010

Related to the TSA stories. My concern is that as a “Security Expert” and someone who teaches “Ethical Hacking” I access web sites, have lots of software that “normal” people don't, and (most damning) criticize the TSA. Will this happen to me?

Whitehat Hacker Moxie Marlinspike's Laptop, Cellphones Seized

Posted by timothy on Saturday November 20, @12:06AM

"The well-known whitehat hacker and security researcher that goes by the handle Moxie Marlinspike has recently experienced firsthand the electronic device search that travelers are sometimes submitted to by border agents when entering the country. He was returning from the Dominican Republic by plane, and when he landed at JFK airport, he was greeted by two US Customs officials and taken to a detention room where they kept him for almost five hours, took his laptop and two cell phones and asked for the passwords needed to access the encrypted material on them."

For my Intellectual Property Lawyer friends (not an oxymoron – they do exist) Does this parallel the rules for ISPs? Will Cloud storage providers have to look at every bit of data you upload?

MP3Tunes ‘Safe Harbor’ Challenge Is Legal Test for Cloud Storage

A key test of digital-copyright law will be heard soon in New York federal court: whether online music storage services and search engines can be held liable when users upload copyright material. The outcome could have far-reaching implications for so-called “cloud-based” services, which allow users to store their content on remote servers accessible on the internet.

… Several influential digital rights groups filed a brief last Tuesday supporting the defendant in the case, MP3tunes. They urged the court to uphold the “safe harbor” provision, lest online innovation be stifled.

Three years ago, several labels and publishers affiliated with major record label EMI sued MP3tunes, which provides an online music “locker” service where users can store their music and access it from computers and mobile devices. MP3tunes also operates a music search engine called Sideload, where people can find music tracks on other sites and then put them in their locker.

To EMI, MP3tunes and Sideload represent a two-step mechanism for the discovery and acquisition of copyright music. MP3tunes argues that its service merely allows users to store their music online so they can listen to it anywhere. And even if some users upload copyright content, the company says, it can’t be found liable because it is protected by the DMCA.

Another “Cloud Computing” article. Interesting in that it is a government computer system that is relatively cheap ($2 million) and works!

eJuror Will Lead To New List of Jury Duty Excuses

Posted by Soulskill on Friday November 19, @02:25PM

"Now you can say your jury duty request got lost in the cloud, or that the network was down, or the Internet ate it. That's because the US District Court system is close to completing a rollout of its national eJuror system that lets prospective jurors have the option of responding to their jury questionnaire or summons online. About 80 of the 94 US district courts have had the eJuror software installed and more than half of those courts are already live on the system."

For my (you better be doing research) students. Shows the rapid increase in searches for “TSA” for example. Also shows a number of related search terms that were (more and less) popular... Note: The “personal information' is aggregated so it isn't obvious how that would be a problem. Unless I'm missing something?

Yahoo! Clues divulges personal information on searches

November 19, 2010 by Dissent

Nadia Ibanez reports:

Yesterday, Yahoo! unveiled the beta test of Yahoo! Clues, which is designed to help users data-mine trending search terms. When a user types in a search term, they’re shown a graph with the highs and lows of the trend over the past week or month. Information about the gender, age, income and location is also provided along with the search paths that other users have taken to provide for a better-rounded search capability.

Read more on Business Review USA. If you want to test it out, the correct url is

For my Math students. I tell them the same thing, based on my observations. Nice to have “scientific confirmation”

Traffic Jams In Your Brain

Posted by timothy on Saturday November 20, @06:01AM

"Carl Zimmer's latest foray into neuroscience examines why the brain can get jammed up by a simple math problem: 'Its trillions of connections let it carry out all sorts of sophisticated computations in very little time. You can scan a crowded lobby and pick out a familiar face in a fraction of a second, a task that pushes even today's best computers to their limit. Yet multiplying 357 by 289, a task that demands a puny amount of processing, leaves most of us struggling.' Some scientists think mental tasks can get stuck in bottlenecks because everything have to go through a certain neural network they call 'the router.'"

Something for students who complete my Math classes.

Massachusetts Institute of Technology Entrance Examination, 1869-70

Friday, November 19, 2010

Somehow this fails to give me that warm, fuzzy feeling I'd like to have when thinking of the Federal Reserve...

Malaysian National Indicted for Hacking into Federal Reserve Bank

November 18, 2010 by admin

The Dept. of Justice issued the following press release about a case noted earlier today on this blog:

Defendant’s Criminal Activities Extended to the National Security Sector

A four-count indictment was returned by a federal grand jury in Brooklyn today charging Lin Mun Poo, a resident and citizen of Malaysia, with hacking into a computer network of the Federal Reserve Bank and possessing more than 400,000 stolen credit and debit card numbers.1 The defendant was arrested on a criminal complaint shortly after his arrival in the United States on October 21, 2010, and has been held in custody since then. The case has been assigned to United States District Judge Dora L. Irizarry.

The charges were announced by Loretta E. Lynch, United States Attorney for the Eastern District of New York, and Brian G. Parr, Special Agent in Charge, United States Secret Service, New York Field Office.

According to the government’s pleadings and a detention letter filed today, the defendant made a career of compromising computer servers belonging to financial institutions, defense contractors, and major corporations, among others, and selling or trading the information contained therein for exploitation by others. On October 21, 2010, the defendant traveled to the United States for the purpose of obtaining additional stolen financial account information from other hackers, which he planned to use and sell for his own profit. When he was arrested a few hours after his arrival at John F. Kennedy International Airport, Secret Service agents seized his heavily encrypted laptop computer, which contained a massive quantity of financial account data and personal identifying information that he had allegedly obtained by hacking into various computer systems. The victims included FedComp, a data processor for federal credit unions. As a result, the defendant was able to gain unauthorized access to the data of various federal credit unions, such as the Firemen’s Association of the State of New York and the Mercer County New Jersey Teachers. The defendant also allegedly compromised the computer servers of a number of major financial institutions and companies, including a computer network of the Federal Reserve Bank of Cleveland, Ohio, by exploiting a vulnerability he found therein.

The defendant’s cybercrime activities allegedly extended to the national security sector. According to the government’s pleadings and detention letter, in approximately August 2010, he hacked into the computer system of a Department of Defense contractor that provides systems management for military transport and other military operations, potentially compromising highly sensitive military logistics information.

Bob McMillan of IDG News Service also covers the story on Computerworld and points us to the a DOJ court filing on the case.

What I really wonder about right now is how many of these banks, credit unions, and other targets even knew they had been breached, or was this all news to them?

What is going on here? Must we assume it takes the FBI 2 years to work through their backlog of cases? Did the priority drop when they (mistakenly) concluded there was no possibility of Identity Theft? Clearly, EODT's investigation found nothing to contradict the FBI, or did they simply not bother after getting an “all clear?”

Two years after a hacking incident, firm learns that employee data were accessed

November 18, 2010 by admin

Tennessee-based EOD Technology (EODT) recently notified the New Hampshire Attorney General’s Office of a breach that occurred in August 2008. No, that’s not a typo: 2008.

By letter dated November 12, the firm reported that in August 2008, they became aware that one of their computers had been accessed by an individual or individuals outside of the U.S. while the computer was connected to a non-EODT network. The incident was reported to the FBI at the time and an investigation by the FBI at that time reportedly suggested that the goal of the intrusion was to acquire EODT banking information and that no personal information had been accessed or acquired.

Fast forward to 2010 when the FBI recently notified EODT that it had uncovered additional information — information that indicated that documents containing the names and Social Security Numbers of employees had been accessed after all. The firm reports that it has no indication or reports to suggest that any of the employee data were misused.

Employees whose data were on the computer were notified by letter on November 10 and advised to remain alert and check their credit reports.

[From the letter:

But, recently the FBI notified EODT that additional information was uncovered during their lengthy investigation.

Of course, they are still operating. Now they are just careful not to lie... If the company was an individual, he'd be sharing Bernie Madoff's cell.

Nearly One Million LifeLock Victims to Receive Refund Checks from FTC

November 19, 2010 by Dissent

An administrator working for the Federal Trade Commission began mailing refund checks Wednesday to 957,928 people who were victims of allegedly false claims made by LifeLock, Inc., which told consumers it could provide absolute protection from identity theft if they signed up for its identity protection service. The mailings will continue for two weeks.

In March 2010, FTC Chairman Jon Leibowitz announced that LifeLock had agreed to pay $11 million to the FTC and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the company’s CEO’s Social Security number on the side of a truck. The FTC charged that LifeLock provided less protection against identity theft than promised and made claims about its own data security that were not true. Consumers who signed up for LifeLock’s services based on those false claims will now be receiving refund checks.

Consumers will receive checks for $10.87 each, and will have 60 days to cash them. The distribution represents all eligible consumers, and no further claims for refunds will be accepted. Consumers who have questions can call the administrator’s toll-free number at 1-888-288-0783 or go to

These consumer refund checks can be cashed directly by the recipients. The FTC never requires the payment of money up-front or additional information to be provided before consumers cash their refund checks.

Source: FTC


Recommended: Comparison of services on location-based options

November 19, 2010 by Dissent has compiled a nifty chart comparing six service platforms (Facebook Places, Yelp, Gowilla, foursquare, Twitter, Loopt) in terms of location-based features that affect your privacy

Check it out here (pdf).

Sounds like a good idea, but there are a couple of sites that illustrate an interesting trend – analyzing data on your computer like Behavioral Advertisers analyze your cookies... Do they report this to anyone? (Imagine what they would do on your Congressman's computer...)

7 Sites That Can Help You Deal With Information Overload


Geneio is a service that installs on your computer and analyzes your current web history to determine content that interests you. A few minutes after installing, it determines your preferences and generates a homepage which is tailored to your interests.


Once you import your RSS feeds from Google Reader, and your Twitter and Facebook accounts, My6Sense begins analyzing how your read items and will start to give you personalized relevant results.

Rather than go based on what you think you are interested in, My6Sense actually looks at what you click on – they have found that sometimes the two don’t exactly match up.

Google Reader “Sort by Magic”

This option sorts your RSS folder based on the popularity of the post and how you interact with and share news items.

“It is better to look secure than to be secure”

Another TSA Outrage

November 19, 2010 by Dissent

Over on RedState, Erick Erickson posted a story told by a soldier returning from Afghanistan. It is a story that exemplifies the stupid security theater that is TSA as hundreds of soldiers were allowed to take their assault weapons onboard but a pair of nail clippers was confiscated during what should have been a brief stopover in Indianapolis to let 100 soldiers debark.

It has always puzzled me that TSA manages to find and confiscate the tiny screwdriver/screw set I carry with me (in case a lens falls out of my eyeglasses) but they invariably fail to detect cigarette lighters. I have tried to envision some terrorist stabbing madly with a one-inch screwdriver but no matter what scenario I generate, it doesn’t work — the terrorist does not get to take over the plane armed with an eyeglass repair kit. Nor, for that matter, do they get to take over the airplane using the metal shoehorn that TSA also keeps confiscating from my husband.

Congress has acted stupidly by endorsing and allowing this nonsense to continue and expand.

Have you called your Senators and representative to express your outrage and to find out what your elected officials are doing to put a halt to this?

No indication of classic “Identity Theft” in the article other than signing someone else's name.

Lawyer gets jail time in Dead Sea Scrolls harassment case

November 18, 2010 by Dissent

Jennifer Peltz of AP reports:

A New York lawyer was sentenced Thursday to six months in jail for an ultramodern crime that was all about antiquity: using online aliases to harass people in an academic debate about the Dead Sea Scrolls.

Raphael Golb, 50, was sentenced on identity theft and other charges in a rare criminal case centred on Internet impersonation — and a very rare trial that aired a bitter scholarly debate over the scrolls’ origins

Read more in the Toronto Star.

[From the article:

Golb’s father is a historian and Dead Sea Scrolls scholar. Prosecutors said Golb used fake email accounts and wrote blog posts under assumed names to discredit his father’s detractors.

“Using fictitious identities to impersonate victims is not what open academic debate seeks to foster,” District Attorney Cyrus Vance said when Golb was convicted.

Golb said the writings amounted to academic whistle-blowing and pointed parody, not crime.

… Schiffman went to authorities after some of his students and colleagues received emails from an address that used his name. The emails appeared to have him admitting that he plagiarized Norman Golb’s work and asking the recipients to keep quiet about it. Schiffman denies copying the historian’s work.

… Internet impersonation claims have generated a number of lawsuits, but prosecutions are unusual unless phony identities are used to steal money, experts say.

If they ignored this data, would they be negligent?

Insurers Test Data Profiles to Identify Risky Clients

November 19, 2010 by Dissent

Leslie Scism and Mark Maremont report:

Life insurers are testing an intensely personal new use for the vast dossiers of data being amassed about Americans: predicting people’s longevity.

Insurers have long used blood and urine tests to assess people’s health—a costly process. Today, however, data-gathering companies have such extensive files on most U.S. consumers—online shopping details, catalog purchases, magazine subscriptions, leisure activities and information from social-networking sites—that some insurers are exploring whether data can reveal nearly as much about a person as a lab analysis of their bodily fluids.

Read more in the Wall Street Journal

[From the article:

This kind of analysis, proponents argue, could lower insurance costs and eliminate an off-putting aspect of the insurance sale for some people.

"Requiring every customer to provide additional, and often unnecessary, information" such as blood or urine samples, "simply makes the process less efficient and less customer-friendly," says John Currier, chief actuary for Aviva USA.

… For insurers and data-sellers alike, the new techniques could open up a regulatory can of worms. The information sold by marketing-database firms is lightly regulated. But using it in the life-insurance application process would "raise questions" about whether the data would be subject to the federal Fair Credit Reporting Act, says Rebecca Kuehn of the Federal Trade Commission's division of privacy and identity protection. The law's provisions kick in when "adverse action" is taken against a person, such as a decision to deny insurance or increase rates.

… Deloitte and the life insurers stress the databases wouldn't be used to make final decisions about applicants. Rather, the process would simply speed up applications from people who look like good risks. [If they identify me as a “Security Expert” would they automatically ignore (positive or negative) information in my dossier? Bob] Other people would go through the traditional assessment process.

Keeping tabs...

How the U.S. Snoops on Russian Nukes From Space [Updated]

We have a wealth of advanced classified systems up there that can read license plates,” says Stephen Schwartz, a nuclear-arms expert at the James Martin Center for Nonproliferation Studies.

Tomorrow, Cape Canaveral will launch what the director of the National Reconnaissance Office — the intelligence agency that manages the spy satellites — calls the “largest satellite in the world” into geosynchronous orbit 22,300 miles above the earth, where it’ll use “sensitive radio receivers and an antenna generally believed to span up to 100 meters (328 feet) to gather electronic intelligence for the National Security Agency,” as sat-watcher Ted Molczan told

The National Reconnaissance Office’s satellites are classified. But of the 438 U.S. military, government and commercial satellites hovering overhead, “you could characterize about 90 of them as collecting some form of intelligence, whether it is imagery, signals or detecting nuclear detonations,” says Brian Weeden, a former officer with the U.S. Air Force Space Command. ( has a good rundown of some of their capabilities.)

My Statistics students will love this!

Win a Coin Toss

… But if you're trying to game the game, flip away. Researchers at the University of British Columbia proved it can work.

After an argument about how to divide patients randomly into groups for a clinical trial (some wanted to use a coin toss, others argued that coin tosses could be manipulated), they tested their theories on a group of medical residents. When given some basic pointers and five minutes of practice, the subjects could intentionally show heads as much as 68 percent of the time. Here's how they beat randomness.

Perhaps we could use this instead of Dissertations? (Comics in APA style?) - For The Creation Of Comic Books

As its name implies, Comic Master is an online tool that can be used for the creation of comic books and graphic novels.

This tool can be used at just no cost, and the comics that are created can then be shared with all your friends and contacts on the Social Web.

Comic Master has a library of backgrounds and characters that can be used in every comic book that is created. And in any case, users can upload their very own in order to give everything that further touch of personality.

One might think that a service like Comic Master is primarily going to be put to leisure uses. Yet, that would be a mistake. The truth is that such an Internet tool will be of great aid to educators that want their students to become more involved in anything they have to learn. For example, think how practical such a service can be for learning about any historical character. It will make it all resemble a game, and (consequently) be apprehended more easily by the children.

Thursday, November 18, 2010

Friends” you don't need...

Debt Collectors Using Facebook To Embarrass Those Who Owe

Not even the tranquility of FarmVille can save you from the long arm of debt collectors. Melanie Beacham says that a collector from MarkOne Financial contacted her relatives about her past due car note via Facebook. She is filing suit alleging that the company is harassing her family. Tampa based consumer attorney Billy Howard of Morgan & Morgan says, "Now Facebook does a debt collectors work for them. Now it's not only family members, it's all of your associates. It's a very powerful tool for debt collectors to use."

The push back continues...

DA promises to prosecute overly touchy pat downs

November 17, 2010 by Dissent

Lyanne Melendez reports:

The San Mateo district attorney’s office has a warning for all TSA personnel at SFO — anyone inappropriately touching a passenger during a security pat down will be prosecuted.

Incoming San Mateo DA Steve Wagstaffe says any complaints of inappropriate touching during an airport security pat down will land on his desk.

“The case would be reviewed and if we could prove the elements of it, that it was inappropriately done with a sexual or lewd intent, that person would be prosecuted,” he said.

Sounds like a blustery day in San Mateo. Read more on ABC. Hat-tip, @NationalOptOut

We can, therefore we must!” ...and besides, only the driver uses a cell phone.

Secretary of Transportation LaHood: We’re looking into technology to disable cell phones in vehicles

November 17, 2010 by Dissent

Jeff Winkler reports

Transportation Secretary Ray LaHood said using a cell phone while driving is so dangerous that devices may soon be installed in cars to forcibly stop drivers — and potentially anyone else in the vehicle — from using them.

“There’s a lot of technology out there now that can disable phones and we’re looking at that,” said LaHood on MSNBC. LaHood said the cellphone scramblers were one way, and also stressed the importance of “personal responsibility.”

Read more on the Daily Caller.

This is truly absurd and dangerous. I cannot begin to count how many times I have used my phone while in my car to report a car accident with injuries on the road ahead of me where 911 needed to dispatch emergency vehicles while I started assisting injured drivers or passengers. In emergencies, such as the driver who was in cardiac arrest, time is of the essence and anything that delays making a 911 call can make the difference between life and death.

A great victory for the ecology? Save a tree, Google it!

Is the Number Up For the Residential Phone Book?

"The first phone directory was issued in 1878, two years after Alexander Graham Bell invented the telephone and for decades regulators across the US have required phone companies to distribute directories in paper form. But now the Washington Post reports that Verizon, the largest provider of landline phones in the Washington DC region, is asking state regulators for permission to stop delivering the residential white pages in Virginia and Maryland. About a dozen other states are also doing away with printed phone books as surveys show that the number of households relying on residential white pages dropped from 25 percent in 2005 to 11 percent in 2008. The directories will be available online, printed or on CD-ROM upon request but the inches-thick white pages, a fixture in American households for more than a century, will no longer land on porches with a thud each year. 'I'm kind of amazed they lasted as long as they have,' says Robert Thompson, a professor of popular culture at Syracuse University. 'But there are some people nostalgic about this. Some people like to go to the shelf and look up a number.'"

For my Forensic and Ethical Hacker students

What EXIF Photo Data Is, How To Find It & How To Understand It

The data itself can reveal some pretty interesting stuff about your photos. As well as the exact time and date you pressed the shutter (provided your camera time and date was correct, of course), a lot of technical information regarding the photograph is captured as well.

… Newer mobile phones and cameras with geotagging ability (using GPS to record the exact location of the image) now store this information within a file’s EXIF data. Web services such as Flickr can then create a map of photographs tagged in this manner.

A growing trend in education. Ask questions that can ONLY be answered using computers. Or at least learn what questions to ask and ALLOW the computer to do the drudge work.

November 17, 2010

NYT: Digital Keys for Unlocking the Humanities’ Riches

NYT: "Members of a new generation of digitally savvy humanists argue it is time to stop looking for inspiration in the next political or philosophical “ism” and start exploring how technology is changing our understanding of the liberal arts. This latest frontier is about method, they say, using powerful technologies and vast stores of digitized materials that previous humanities scholars did not have. These researchers are digitally mapping Civil War battlefields to understand what role topography played in victory, using databases of thousands of jam sessions to track how musical collaborations influenced jazz, searching through large numbers of scientific texts and books to track where concepts first appeared and how they spread, and combining animation, charts and primary documents about Thomas Jefferson’s travels to create new ways to teach history...the National Endowment for the Humanities teamed up with the National Science Foundation and institutions in Canada and Britain last year to create the Digging Into Data Challenge, a grant program designed to push research in new directions."

For my Techie students. (Note: Handing in papers with 'cloudy reasoning' isn't a resume item.)

Want an IT Job? Add 'Cloud' To Your Buzzword List

"There was a predicted uptick in IT hiring for late this year, but it's mid-November and it hasn't happened yet. Kevin Fogarty does see growth in one area, though: cloud and virtualization experts are being fought over, lured away from in-house jobs to cloud consultancies popping up everywhere."

Wednesday, November 17, 2010

The cost of Identity Theft.

New TD Ameritrade data theft settlement offers people $50-$2,500 for ID theft in 2007 breach

Millions of current and former TD Ameritrade customers whose contact information may have been stolen more than three years ago will be eligible to receive as much as $2,500 under a new proposed settlement agreement.

But it's not clear how many of the 6.2 million TD Ameritrade customers affected will be able to collect anything under the proposed settlement outlined in court documents filed Monday, because the payments will only be offered to identity-theft victims. And most of the payments, which would range between $50 and $2,500 per person, will likely be less than the maximum.

A federal judge who rejected an earlier settlement agreement also must approve the deal.

The new proposed settlement, which is the second attempt at resolving the lawsuit, will cost Ameritrade between $2.5 million and $6.5 million. If claims worth more than $6.5 million are submitted, the payments to individuals and the plaintiffs' lawyers will be reduced.

… Plaintiffs' attorney Gretchen Nelson said it's difficult to prove an identity theft was caused by a particular data breach, so the settlement is designed to allow for that.

Ameritrade's Petrick said customers won't have to prove their identity theft problems were related to the data theft. As long as people can show they were Ameritrade customers and suffered identity theft from an unknown cause, they will be able to submit a claim for payment.

… If the claims submitted and attorneys' fees in the settlement add up to less than $2.5 million, Ameritrade will donate any remaining money up to $2.5 million to non-profit groups concerned about privacy rights, such as the Electronic Privacy Information Center.

Starting the “paying for our sins” process...

AvMed sued over loss of computers holding personal information

Five AvMed Health Plans customers filed a class-action lawsuit Tuesday against the health insurer on behalf of 1.2 million people whose personal information was on two laptops that went missing from the company’s Gainesville office.

AvMed officials said there are no known cases of identity theft connected to the incident. [I imagine the conversation was more like: “Has anyone found out the data came from us?” Bob] One of the computers was recovered soon after the incident.

The lawsuit contends AvMed violated federal health privacy rules, industry standards and its own stated consumer protections in not securing the computers or encrypting the data on the computers.

The plaintiffs are suing for damages and to enforce data security measures.

… AvMed officials previously said the data were scrambled in such a way as to make the risk of identity theft very low. [Data stored in Relational Databases is not in the same sequence as data on a paper form. That does not mean the data can not be easily reassembled. Bob]

… The company also says it has strengthened its data security and procedures. [Is that “proof” that their security was not adequate before the theft? Bob]

… The two laptops were reported missing from a locked conference room on Dec. 11, 2009. AvMed waited until February to notify 360,000 customers whose information was on the laptops to avoid hindering the investigation and to set up identity protection services. Another 860,000 customers were notified in June after AvMed determined their information was on the computers. [Did it really take them 6 months to determine what data was on the laptops? Bob]

It's not Wikileaks, but there is no whistle blower protection either.

Verizon breach disclosure web launched

November 17, 2010 by admin

Last week I posted a news item that Verizon was creating a web site where breaches could be reported anonymously. U.K. lawyer Stewart Room raises an interesting concern about using the site:

This is a fascinating concept, but from a legal perspective it is potentially fraught with difficulty for those organisations whose employees decide to take advantage of the service; if the organisation by its workers decides that it is ok to report incidents, albeit anonymously, to a third party, then it can attract close scrutiny about its breach reporting procedures in a general and specific sense, perhaps attracting the charge that it should be reporting to regulators too; ultimately, there are learning and mitigation purposes that are served in reporting to both recipients; the difficult question that will need to be thought through is “why is anonymous reporting ok, when open reporting is not?” Imagine a line of cross examination in a court environment that could be faced by the IT worker who unilaterally went down the route of reporting to a third when their organisation decided to keep quite (sic)…

Read more on Stewart Room.

About time!

US data laws spur encryption take-up

Data security laws are now the main reason US companies take up encryption, for the first time surpassing even anxiety over data breaches, a new report by the Ponemon Institute on behalf of Symantec has found.

Reporting for its fourth year in 2010, US Enterprise Encryption Trends found that regulations were cited as the biggest factor for using encryption by 69 percent of the nearly 1,000 survey IT security respondents in larger companies and government.

View The 2010 Annual Study: U.S. Enterprise Encryption Trends (registration required)

(Related) For my Ethical Hackers

For 18 Minutes, 15% of the Internet Routed Through China

Posted by CmdrTaco on Tuesday November 16, @02:24PM

"For 18 minutes this past April, 15% of the world's internet traffic was routed through servers in China. This includes traffic from both .gov and .mil US TLDs."

The crazy thing is that this happened months ago, and nobody noticed. Hope you're encrypting your super-secret stuff.

Summary only, but it is always interesting to see what drops out when the politicians get their fingers in the poe...

Commerce Dept. weighs privacy policy guidelines

Trade publication TR Daily obtained a copy of a draft summary of the report.

(Related) Do you suppose the guidelines address anything like this?

The Quantified Self: Personal Choice and Privacy Problem?

November 16, 2010 by Dissent

Another thought-provoking blog by Scott Peppet over on Concurring Opinions. Here’s part of it:

…. And what of privacy? It may not seem that an individual’s choice to use these technologies has privacy implications — so what if you decide to use FitBit to track your health and exercise? In a forthcoming piece titled “Unraveling Privacy: The Personal Prospectus and the Threat of a Full Disclosure Future,” however, I argue that self-tracking — particularly through electronic sensors — poses a threat to privacy for a somewhat unintuitive reason.

I do not worry that sensor data will be hacked (although it could be), nor that the firms creating such sensors or web-driven tracking systems will share it underhandedly (although they could), nor that their privacy policies are weak (although they probably are). Instead, I argue that these sensors and tracking systems are creating vast amounts of high-quality data about people that has previously been unavailable, and that we are already seeing ways in which sharing such data with others can be economically rewarding. For example, car insurance companies are now offering discounts if you install an electronic monitor in your car that tells the insurer your driving habits, and employers can use DirectLife devices to incentivize employees to participate in fitness programs (thereby reducing health insurance costs).

Such quantified, sensor-driven data become part of what I call the “Personal Prospectus.” The Personal Prospectus is a metaphor for the increasing array of verified personal information that we can share about ourselves electronically. Want to price my health insurance premium? Let me share with you my FitBit data. Want to price my car rental or car insurance? Let me share with you my regular car’s “black box” data to prove I am a safe driver. Want me to prove I will be a diligent, responsible employee? Let me share with you my real time blood alcohol content, how carefully I manage my diabetes, or my lifelong productivity records.

Read the whole thing on Concurring Opinions.

Interesting. The NYT saying government can't do anything it wants...

Searching Your Laptop

November 16, 2010 by Dissent

A New York Times editorial begins:

Federal courts have long agreed that federal agents guarding the borders do not need a warrant or probable cause to search a traveler’s belongings. That exception to the Fourth Amendment needs updating and tightening to reflect the realities of the digital age.

The government has a sovereign right and responsibility to secure the borders. The recent discovery of two powerful package bombs being shipped to the United States is a reminder of the many dangers out there.

There is also a big difference between government agents scanning items for explosives or looking through a suitcase full of clothing, and searching through the hard drive of a laptop computer containing work papers, financial records, e-mail messages and Web site visits.

Read more in the New York Times.

Trust us! I suppose this would be attached to my dossier...

One Hundred Naked Citizens: One Hundred Leaked Body Scans

November 16, 2010 by Dissent

At the heart of the controversy over “body scanners” is a promise: The images of our naked bodies will never be public. U.S. Marshals in a Florida Federal courthouse saved 35,000 images on their scanner. These are those images.

A Gizmodo investigation has revealed 100 of the photographs saved by the Gen 2 millimeter wave scanner from Brijot Imaging Systems, Inc., obtained by a FOIA request after it was recently revealed that U.S. Marshals operating the machine in the Orlando, Florida courthouse had improperly-perhaps illegally-saved images of the scans of public servants and private citizens.

Read more on Gizmodo and watch the video.

Scanner image in carousel from Gizmodo video screenshot.

(Related) Pilots can't be terrorists. (Reverse profiling?) Makes me wonder who else is exempt (Congress?)

TSA plans modest changes to 'virtual strip searches'

… TSA administrator John Pistole said today that the agency will be "announcing some new policies" in the "near future" that will change the screening process for pilots, who have protested being forced to choose between a "virtual strip search" or an invasive pat-down a few minutes before they're handed the controls of a 975,000-pound kerosene-fueled missile in the form of a jumbo jet. (See our previous coverage.)

(Related) Security screening = roach motel.

TSA Investigating ‘Don’t Touch My Junk’ Passenger

The TSA has launched an investigation of a passenger in San Diego who left the airport after opting out of an invasive body scan and criticizing the proposed alternative pat-down.

John Tyner, a 31-year-old software programmer, recorded the encounter on his mobile phone and posted it to his blog. From there, it quickly went viral, tapping a groundswell of frustration over TSA’s procedures.

But far from backing down, the TSA told local reporters that it’s now investigating the passenger, who may face an $11,000 fine if the agency sues him.

“What he’s done, he’s violated federal law and federal regulations which states once you enter and start the process you have to complete it,” TSA’s San Diego security director told the Fox 5 News.

(Related) How the rest of the world sees the TSA? Humor, I think...

Taiwanese Animators Recreate TSA ‘Junk’ Incident

Computer Security tools & Techniques. Looks like a “real time” log analyzer. Hard to believe this is really new...

Fingerprint’ software to stem cyber crime

November 16, 2010 by admin

Revolutionary digital fingerprinting software invented by Edinburgh computer scientists could be set to stem the growing tide of cyber crime.

The technology, developed at Edinburgh Napier University, allows CCTV-style monitoring of online systems.

It digitally mimics the DNA matching process used in the real world.

The software, which will be on sale in six months, works out what classified data has been accessed by the hacker before alerting the company’s managers. [If it knows “Hacker” and “Classified Data” Why not STOP the access? Bob]

Read more on BBC.

[The company website:

1) recognize a market 2) fulfill the demand 3) retire

Teen Can't Wait for Apple: Orders iPhone 4 Parts Direct From Foxconn, Makes $130,000

According to The Observer, Lam realized there could be big money in getting white iPhone 4 parts early, and he made attempts to skip Apple and directly contact the company's controversial supplier, Foxconn.

"I knew a guy from a few years back that had somewhat of a relationship with folks in Foxconn," Lam, who speaks fluent Chinese, told The Observer.

After arranging orders for parts to make a white iPhone 4 conversion kit, Lam created, which offers the parts for between $135 and $279. The site soon went viral thanks to the tech blogosphere, and Lam made a killing. Since August alone, he's pulled in more than $130,000 from selling the white conversion kits, according to The Observer.

For my students

Blumind – A Beautiful, Lightweight & Portable Mindmap Application [Windows]

Do you use mindmaps? This method of organizing information is popular among academia because it can help them make sense of information clutters. But the use of mindmaps are not limited to educational environments only.

Anybody can use mindmaps for various uses including, for example, to remember school subjects faster, to expand a topic to write about, to organize ideas, to break down a complicated project, and many more.

While the traditional pen and paper method is still used today, you can also use your computer to generate your mindmaps. There are many mindmap creators out there that you can choose and use. One of the free alternatives to create and manage your mindmaps is Blumind.

Since the site is in Chinese, you might need a little help from Google Translate.

Tuesday, November 16, 2010

Cyber War: Does this sound like the work of a bored teenager? Or 'the continuation of Politics by other means?'

Stuxnet Was Designed To Subtly Interfere With Uranium Enrichment

Posted by Soulskill on Tuesday November 16, @05:04AM

"Wired is reporting that the Stuxnet worm was apparently designed to subtly interfere with uranium enrichment by periodically speeding or slowing specific frequency converter drives spinning between 807Hz and 1210Hz. The goal was not to cause a major malfunction (which would be quickly noticed), but rather to degrade the quality of the enriched uranium to the point where much of it wouldn't be useful in atomic weapons. Statistics from 2009 show that the number of enriched centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 at around the time the worm was spreading in Iran."

(Related) Think of software that locates and monitors targeting systems and changes coordinates randomly...

State-Sponsored CyberAttacks Expected To Rise

Posted by Soulskill on Monday November 15, @05:26PM

"According to a report released today, IT security professionals will see a rise in State-sponsored attacks, like the Stuxnet worm, that will build on concepts and techniques from the commercial hacker industry to create more powerful 'Advanced Persistent Threats.' The researchers also expect an increase in compromised mobile devices leading to data theft or loss as a result of lagging security measures, and that next year will bring the first major data breaches as a result of compromised devices. The biggest potential impact will be caused by the proliferation of sophisticated mobile devices interacting with corporate networks."

Was it a case of “Ready, Fire, Aim?” Or simply, “we can, therefore we must?” Note that questions we've been asking about how long they keep the scanned images are no longer “important”

November 15, 2010

Frequent Flyer Backlash Heightens Over Full-body Scanners at Airports

Follow up to previous postings on government implementation of whole body scanning technology at airports, via National Journal, "The Transportation Security Administration is working to create an alternative screening process for pilots, the agency's chief said this morning, amid mounting protests by airline pilots over new airport scanners criticized as invasive and hazardous to health due to radiation exposure."

A fair summary of Facebook's new tool. Can we live without it? Can we live with it? Seems that this will increase “interruption”

New Facebook Messaging System Announced

Posted by Soulskill on Monday November 15, @02:01PM

Mark Zuckerberg just held a presentation to unveil Facebook's "next generation messaging" system. He repeatedly drove home the idea that "this is not email," nor is it "an email killer." Their plan is to tie together multiple forms of communication — email, texts, social updates, etc. — and blend them into conversations. As users go about their days, interacting with a variety of devices, the communication method automatically updates to whatever is appropriate at the time. If a user receives an email while he's at a desktop, browsing Facebook, it will bring up the message in a Facebook chat window. If the user is browsing on a smartphone, it will bring up the message there, instead. If it's a dumbphone, then a text message can be sent. Another central feature is the idea that conversation histories from multiple sources and different forms of communication can be integrated through Facebook, so that you no longer have to separately root through IM logs, SMS logs, old emails, etc., to see old correspondence. (Users will have the ability to delete these, should they desire.) The last major feature they mentioned is what they call the "social" inbox, which is based on whitelisting. Users will be able to set up primary inboxes which only display communications they definitely want to see, while leaving low-priority messages, spam, and all the other noise typical to email in an inbox they check less frequently. The new system will be rolled out slowly over the next few months.

Making Security the default!

Forcing browsers to use encryption

Help is on the way for Web surfers who run the risk of having their Facebook, Twitter, and other Web accounts hijacked over unsecured Wi-Fi networks and other security issues that result from sites not using encryption.

A Web security mechanism called HTTP Strict Transport Security (HSTS) is making its way through the IETF (Internet Engineering Task Force) standards process, and two of the major browsers are supporting it. Web sites that implement HSTS will prompt the browser to always connect to a secure version of the site, using "https," without the Web surfer having to remember to type that in the URL bar.

It will render useless tools like Firesheep, a Firefox add-on that lets people easily capture HTTP session cookies that sites use to communicate with computers. Firesheep was released at ToorCon last month.

HSTS is used in Google Chrome and the NoScript [One I recommend Bob] and Force-TLS Firefox plug-ins and is being implemented in the upcoming version of FireFox, according to a blog post by Jeff Hodges, a security engineer at PayPal. Hodges wrote the original draft specification for HSTS with Collin Jackson, a former Googler and current assistant research professor at Carnegie Mellon University Silicon Valley, and Adam Barth, a Google engineer.

"This allows for full-session encryption," Jackson told CNET. "A user won't see an insecure version of the site."

There is no “E-mily Post,” but perhaps there should be.

The 12 Rules of Sex and Tech

Every man and woman in a modern relationship must navigate a complicated set of unspoken rules and etiquette for technology. Is it OK to tweet from the dinner table? Can one go online while the other watches TV? To find out, The Daily Beast's Claire Howorth and Brian Ries spoke with people in various stages of relationships about the sensibility of sharing passwords, the importance of the Facebook relationship status, and the ignorance of checking the phone after sex.

In our list, we present 12 common situations where technology has wormed its way into our lives, introduce the rules we should live by, and get the scoop from both sexes.

How does “Hey chubby! Want a diet drink?” improve sales?

'Smart' Vending Machines Triple Sales

Posted by Soulskill on Monday November 15, @03:24PM

"A vending machine in Japan which recommends drinks to customers based on facial recognition data has tripled sales. JR East Water Business has previously installed two vending machines in JR Shinagawa station and it is believed that the recognition technology is responsible for a vast increase in sales in comparison to traditional machines. The vending machines recommend beverages after physical attributes of customers are picked up by sensors which allow the machines determine age, sex and other attributes, before offering a number of suggestions."

A tool for my Ethical Hackers (Moving hacking tools into the cloud) Making your tools portable. - Running Desktop Apps From The Cloud

Spoon is a virtualization platform that lets you run desktop apps from the cloud. If you install the provided plug-in, you will be able to access these applications you love without having to worry about installing or updating them. Since everything is hosted on the cloud, that part is done for you. And I am sure you have guessed as much by now, but you can also use Spoon to play games.

Again - the same principles apply. There is nothing to install, and no need to ensure you have the latest version or patch. As long as you have installed the Spoon plug-in, you will be able to play all the games that are included on the site.

Some of the featured apps are TweetDeck, Skype, VLC Media Player, Adobe Reader, WinAmp, GOMPlayer... You can check the best of the best on the main page. And the same goes for the featured games, of course - the best titles are spotlighted for all to see.