Saturday, December 18, 2010

I wonder if any of Silverpop's customers actually audited their security? That would seem to be a prudent step before relying on them to protect sensitive data.

13 million deviantART e-mail addresses exposed by hackers

December 17, 2010 by admin

Matthew Humphries covers a Silverpop-related deviantART e-mail address hack mentioned previously on this blog:

Pre-Christmas 2010 will be remembered as the time when well-known online brands and websites started to fall to hackers. The biggest of them all so far has been Gawker, and we’ve also seen McDonalds have its databases compromised this week. But that’s not the end of the security breaches.

Today deviantART, the largest online community of artists, has announced its user database has also been compromised. The fallout being up to 13 million user e-mail addresses, usernames, and birth dates being exposed and likely used by spammers.

The breach occurred through Silverpop System Inc. It’s a marketing company deviantART uses to communicate with its users through a mailing list, but now seems to be a weak point in securing user data. The company is assuming the data was stolen by spammers.

The only saving grace is passwords were not taken, so if you have a deviantART account it has not been compromised. What it will likely result in is a lot more spam e-mails being directed to those 13 million accounts.


[From the article:

The data stolen also brings up a few questions. Most importantly why is the site sharing date of birth information with a marketing company? Is it for more targeted advertising? If this is the case it should stop, as a number of sites still rely on date of birth as a security question.

Although fairly harmless on its own, a date of birth combined with an e-mail address may be enough to compromise security on other sites. For example, you have an e-mail and password login with date of birth check for recovering that password.

[Remember too that Spammers could be building a dossier database similar to the ones Behavioral Advertisers construct. Bob]

This would be funny if it wasn't yet another indication of a failure to understand basic security practices.

(follow-up) Massachusetts man pleads guilty to selling and using TSA employees’ identities

December 17, 2010 by admin

A Lynn man pleaded guilty in federal court today to selling and using the names, dates of birth, and Social Security numbers of Transportation Security Administration employees who worked at Logan Airport.

Michael Debring, A/K/A Michael Washington, 49, pleaded guilty before U.S. District Judge Nathaniel M. Gorton to conspiracy, misrepresenting a Social Security number with intent to defraud, possessing 15 or more unauthorized access devices with intent to defraud, and aggravated identity theft.

At today’s plea hearing, the prosecutor told the Court that had the case proceeded to trial, the Government’s evidence would have proved that between July 2008 and December 9, 2009, Derring and his co-conspirator, Tina White, opened accounts using TSA employees’ identities to obtain gas, electric, cable television, telephone, and other services for themselves and their relatives, friends and customers. Some recipients of the services would not pay the bills, knowing that the account-holder details did not match the recipients’ identities.

… Derring obtained the names, dates of birth, and Social Security numbers of employees who worked for TSA at Logan Airport from a relative who worked as a contractor at TSA’s department of human resources.

… Source: U.S. Attorney’s Office, Massachusetts

Now this is how everyone should approach their security planning.

NSA Considers Its Networks Compromised

"Debora Plunkett, head of the NSA's Information Assurance Directorate, has confirmed what many security experts suspected to be true: no computer network can be considered completely and utterly impenetrable — not even that of the NSA. 'There's no such thing as "secure" any more,' she said to the attendees of a cyber security forum sponsored by the Atlantic and Government Executive media organizations, and confirmed that the NSA works under the assumption that various parts of their systems have already been compromised, and is adjusting its actions accordingly."

Yet another indication that Politicians aren't like us second class citizens...

AU: Parliament porn users’ ID a secret

December 17, 2010 by Dissent

Alexandra Smith reports:

The NSW Parliament will not discipline or even identify staff members or MPs who used the parliamentary computer system to access websites that contained ”sexually explicit images of young people”.

The Speaker of the Legislative Assembly, Richard Torbay, and the President of the Legislative Council, Amanda Fazio, have declared the matter closed despite confirmation that nine inappropriate websites were accessed.

In a statement yesterday, they confirmed that advice from the Crown Solicitor was that there was ”no legal obligation to refer the information in the report to the NSW Police Force”.

The identity of the staff or MPs who accessed the pornographic sites will remain secret, ensuring no one can be disciplined, despite an obvious breach of the Parliament’s IT guidelines.

Read more in The Age.

Now, see, I wouldn’t think that public officials using publicly funded work-related computers should have an expectation of privacy if they engage in such conduct.

[From the article:

Ernst & Young was commissioned to review the internet filter after a parliamentary human resources executive, Lisa Vineburg, commissioned an unauthorised audit [I wonder if she got canned? Bob] of internet use by all MPs and staff.

The raw data ended the ministerial career of the MP for Heathcote, Paul McLeay, who resigned after he learned details of his internet use had been leaked to the media. He admitted he had repeatedly visited pornographic and gambling sites from the parliamentary computer system.

I'm not sure I fully agree with this. If it is okay for the cops to follow someone without a warrant (it is, isn't it?) why can't they use technology to make their work more efficient? Is it the “sneaking onto private property to attach the device” that is the real concern? How about remotely turning on the OnStar or other devices in the car to report locations visited?

Delaware and Massachusetts courts strike down warrantless GPS tracking

December 17, 2010 by Dissent


The Delaware Superior Court has ruled that police must obtain a warrant before using GPS devices to monitor vehicles. The Court said that the Delaware Constitution protects its citizens’ reasonable expectation of privacy from “constant surveillance.” “Everyone understands there is a possibility that on any one occasion or even multiple occasions, they may be observed by a member of the public or possibly law enforcement,” the Court reasoned, “but there is not such an expectation that an omnipresent force is watching your every move.” In a related case, the Massachusetts Supreme Court held that a warrant is required for the use of a GPS tracking device. EPIC filed an amicus brief in that case.


Susan Freiwald on United States v. Warshak: Sixth Circuit Brings Fourth Amendment Protection to Stored Email, At Last

December 18, 2010 by Dissent

Susan Freiwald, one of the law professors whose articles were cited in the recent Warshak decision, has this commentary and analysis on Concurring Opinions:

Finally! A Federal Appellate Court has brought the Fourth Amendment to stored email! On December 14th, in United States v. Warshak, the 6th Circuit held that when government agents compel an Internet Service Provider (ISP) to disclose its user’s stored emails, they invade the user’s reasonable expectation of privacy, which constitutes a search under the Fourth Amendment and requires a warrant or an applicable exception.

In a 2007 decision, a panel of the 6th Circuit found a reasonable expectation of privacy (REP) in Warshak’s stored emails when he sought an injunction, but the 6th Circuit, en banc, vacated that decision the next year on ripeness grounds. The case decided three days ago concerned Warshak’s appeal of his criminal conviction of an array of charges related to fraudulent business practices. The trial was long and involved (and much of the decision concerns other issues). As part of the investigation, prosecutors seized 27,000 of Warshak’s private emails, ex parte, and without first getting a warrant. Along with Patricia Bellia, of Notre Dame, I wrote an amicus brief for law professors prior to the 2007 decision, and have written law review articles (with Tricia) on the topic since. Below, I explain the court’s constitutional analysis, discuss why this discussion was so long in coming and share some thoughts about the future.

Read more of her analysis on Concurring Opinions.

Who is Dale Carnegie ? Clausewitz said something to the effect that “war was a continuation of politics by other means.” How does that work when the politician is crazy?

North Korea Says War With South Would Go Nuclear

"According to reports from the Uriminzokkiri, the official website of the Democratic People's Republic of Korea, a war with South Korea would involve nuclear weapons, and '[will] not be limited to the Korean peninsula.' The article goes on, 'The Korean peninsula remains a region fraught with the greatest danger of war in the world. This is entirely attributable to the US pursuance of the policy of aggression against the DPRK (North Korea).'"

Friday, December 17, 2010

What great advertising! A “Security firm” had their unencrypted hard drives stolen. A question for my MBA students: Why do you need information on former employees on a computer in Iraq?

Wackenhut stolen hard drive contained employee info

December 16, 2010 by admin

On December 9, Wackenhut Services Limited Liability Company notified the New Hampshire Attorney General’s Office that a hard drive stolen in transit between the firm’s office in Iraq and the firm’s U.S. office contained personal information on past employees, including their first and last names, dates of birth and places of birth, passport numbers, last known home addresses, and Social Security Numbers.

The theft was discovered by the security services firm on November 29 and the firm indicated that those affected would be notified by certified mail on Dec. 13.

The total number of employees affected was not indicated in their notification.

This is logical, but would have been discovered eventually by trial and error. Organizations that collect email addresses have more of them than organizations that don't.

Fallout from Recent Spear Phishing Attacks?

December 17, 2010 by admin

Brian Krebs writes:

McDonald’s and Walgreens this week revealed that data breaches at partner marketing firms had exposed customer information. There has been a great deal of media coverage treating these and other similar cases as isolated incidents, but all signs indicate they are directly tied to a spate of “spear phishing” attacks against e-mail marketing firms that have siphoned customer data from more than 100 companies in the past few months.

On Nov. 24, I published an investigative piece that said criminals were conducting complex, targeted e-mail attacks against employees at more than 100 e-mail service providers (ESPs) over the past several months in a bid to hijack computers at companies that market directly to customers of some of the world’s largest corporations.


For my Statistics students?

December 16, 2010

11.7 Million Persons Reported Identity Theft Victimization in 2008

News release

  • "An estimated 11.7 million persons, representing five percent of all persons age 16 or older in the United States, were victims of identity theft during the two years prior to being surveyed in 2008, the Bureau of Justice Statistics (BJS) announced today. The financial losses due to the identity theft totaled more than $17 billion. Identity theft was defined in the survey as the attempted or successful misuse of an existing account, such as a debit or credit account, misuse of personal information to open a new account, or misuse of personal information for other fraudulent purposes, such as obtaining government benefits. Approximately 6.2 million victims (three percent of all persons age 16 or older) experienced the unauthorized use or attempted use of an existing credit card account, the most prevalent type of identity theft. An estimated 4.4 million persons reported the misuse or attempted misuse of a banking account, such as a debit, checking or savings account. Another 1.7 million persons experienced the fraudulent misuse of their information to open a new account, and about 618,900 persons reported the misuse of their information to commit other crimes, such as fraudulently obtaining medical care or government benefits or providing false information to law enforcement during a crime or traffic stop. About 16 percent of all victims (1.8 million persons) experienced multiple types of identity theft during the two-year period."

Cyber War: Now this is interesting... Sort of a “Pelican Brief”

Stuxnet’s Finnish-Chinese Connection

I recently wrote a white paper [that I missed Bob] entitled “Dragons, Tigers, Pearls, and Yellowcake” in which I proposed four alternative scenarios for the Stuxnet worm other than the commonly held assumption that it was Israel or the U.S. targeting Iran’s Bushehr or Natanz facilities.

As far as China goes, I’ve identified 5 distinct ties to Stuxnet that are unique to China as well as provided a rationale for the attack which fits China’s unique role as Iran’s ally and customer, while opposing Iran’s fuel enrichment plans. There’s still a distinct lack of information on any other facilities that suffered damage, and no good explanations for why there was such massive collateral damage across dozens of countries if only one or two facilities in one nation state were the targets however based solely on the known facts, I consider China to be the most likely candidate for Stuxnet’s origin.

Technology for vigilantes? Perhaps we should have a “full” suite of such apps, like: a Poor Personal Hygiene that sends a note to your mommy; a Weed Wacker app for neighbors with bad lawns; and don't get me started on the potential for teacher/student apps:e.g. a Try Spell Checking app.

Big Brotheresque App Kills Your Automotive Anonymity

A new app that lets frustrated drivers vent their anger at boneheaded motorists already has branded your bumper with a “How’s My Driving” sticker, and it could raise your insurance premium. It’s like having thousands of unmarked police cars and speed cameras on every roadway, and it could spell the end of anonymity behind the wheel.

DriveMeCrazy, developed by Shazam co-founder Philip Inghelbrecht, is a voice-activated app that encourages drivers to report bad behavior by reciting the offender’s license plate into a smartphone. The poor sap gets “flagged” and receives a virtual “ticket,” which may not sound like much until you realize all the information — along with date, time and location of the “offense” — is sent to the DMV and insurance companies.

Anyone can write a ticket, even pedestrians and cyclists. No one is safe from being tattled on. Even if you don’t use the program, which went live Wednesday, you can’t opt out of being flagged if someone thinks you’re driving like a schmuck. Inghelbrecht is emphatic in saying he sees no privacy issues with the app and insists the end of road-going anonymity can only improve safety.

Your government at work!

Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework

December 16, 2010 by Dissent

Quick pointer:

The Department of Commerce Internet Policy Task Force has released its report, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.

I haven’t had time to read it yet, but you can read it at

Update 1: Hunton & Williams offer a summary of the paper.


Commerce Online Privacy Report Gets Mixed Grades

December 16, 2010 by Dissent

I still haven’t had time to read the report for myself, but the online “buzz” about the new report and recommendations from the Commerce Department is that it falls far short of where we need to be. Here are just two news stories about reactions.

Brian Prince of eWeek reports:

A new U.S. Dept. of Commerce report (PDF) on online privacy drew a mixed reaction from watchdogs Dec. 16, some of who called it a thinly veiled gift to the online advertising industry.

The sweeping report, released Dec. 16, calls for a “Dynamic Privacy Framework” that would revitalize Fair Information Practice Principles (FIPPs) and establish a commercial data-focused Privacy Policy Office that would identify areas where new industry or use-specific codes are needed. The paper focuses on the promotion of “informed consent” and transparency for consumers.

While some privacy advocates commended the report’s recognition of privacy issues, the report has also been criticized for falling short in certain ways – namely in its emphasis on self-regulation by the online advertising industry and its proposal of creating a safe harbor against enforcement actions by the Federal Trade Commission (FTC) as an incentive for businesses to adopt better privacy practices.


And Juliana Gruenwald of Tech Daily Dose reports:

Privacy advocates were skeptical of the proposals outlined in a privacy report released by the Commerce Department Wednesday.

While pleased that the agency is bringing attention to the need to do more to protect consumer privacy online, representatives from five privacy groups said in a conference call that the report’s proposed measures are too focused on industry self regulation. It’s a “Christmas gift to the data collection industry from the Obama administration,” according to John Simpson of Consumer Watchdog.


Update: Of course, no sooner do I post the above then I see: Department of Commerce Privacy Report: Dynamic and Innovative from TRUSTe.

We often pass laws we don't intend to obey.” Think of it as a “Double Secret Exemption”

Ca: N.S. health privacy law concerns journalists

By Dissent, December 17, 2010

The Canadian Press reports:

Nova Scotia legislation that aims to protect personal health records but also raises fears that it’s too restrictive on the media has passed.

Fred Vallance-Jones, a journalism professor at the University of King’s College in Halifax, has said the law could see journalists face fines of up to $10,000 or six months in jail if they seek information from hospital officials when patients haven’t given permission to release information about their status.

He said, for example, that a reporter asking a nurse in a hospital hallway whether the premier broke his leg might end up breaking the law.

The opposition Liberals and Conservatives agreed with his objections and raised them during third reading of the bill last Thursday, but still voted for it.

NDP Health Minister Maureen MacDonald says her legal counsel doesn’t believe the legislation will be used to prosecute journalists. [Only second class citizens, serfs and peons are targeted... Bob] She says the intent is simply to protect privacy rather than restrict reporting on the health care system.


When governments think they know what's best for citizens, you get nonsense like this.

The French Government Can Now Censor the Internet

"A new episode in French internet legislation — French ministers have passed a bill (original in French) allowing the government to add any website to a black list, which access providers will have to enforce. This black list will be defined by the government only, without requiring the intervention of the legal system. [and if they don't like it, we'll blacklist them too! Bob] Although originally intended against pedo-pornographic websites, this bill is already outdated, as was Hadopi in its time, and instead paves the way for a global censorship of the 'French internet.'"

(Related) This is not an isolated syndrome. The quest for “control” (translation: censorship) has come up repeatedly from several “Third World” countries. (Like France?)

UN Considering Control of the Internet

"News has surfaced in the wake of the WikiLeaks story that the United Nations is mulling total inter-government regulation of the internet. The initiative was spearheaded by Brazil and supported by other countries including India, China, Saudi Arabia and South Africa. Drew Wilson of ZeroPaid commented that while the Cablegate story may be bad, attempting to destroy WikiLeaks would only make matters worse for various governments around the world, given what happened when the music industry shut down Napster ten years ago."

At least they are being honest enough not to claim “It's for the children...”

WI: Lawmakers Approve Fingerprint Scanners to Prevent Child Care Fraud

December 16, 2010 by Dissent

Ann-Elise Henzl reports:

In an effort to prevent fraud at day care centers, the state will install fingerprint scanners to track the children who are attending.

The state says the system will allow it to monitor attendance, and make sure the state is only reimbursing day care facilities for services actually provided.


Patrick Marley of the Journal Sentinel reports:

Children or their guardians would need to scan their fingers when they arrive at and leave child care facilities, a move that is meant to give the state assurance that it is paying only for children who actually attend day care.

So let’s be clear: CHILDREN will be tracked to prevent ADULTS committing financial fraud. It would seem that there would need to be some kind of new database of fingerprints and records of time arrived/time left to support this. Who will have access to the database containing children’s information? How long will it be retained for? Do the children being third-party beneficiaries of the state’s subsidy program permit the state to impose surveillance requirements on them?

Does no one in Wisconsin see a problem with creating a database of children this way?

(Related) Dilbert illustrates over-reliance on technology

It is better to look secure than to be secure” Hernando I suppose TSA will eventually install their scanners at subway and train stations, perhaps even develop a “home model” we can use before we get into our cars...

Washington subway police to begin random bag checks

December 16, 2010 by Dissent

Officers will start random bag inspections on the sprawling Washington subway system, the Washington Metro Transit Police said on Thursday, a week after a man was arrested for making bomb threats to the rail system.

Metrorail police officers plan to randomly select bags before passengers enter subway stations and they will swab them or have an explosives-sniffing dog check the bags, according to the Metro police.

There is “no specific or credible threat to the system at this time,” Metro said in a statement. Passengers who refuse to have their bags inspected will be denied entry into the subway system.

So once again we see a reactive measure. It’s been how many years since 9/11 and they’re just getting around to doing something about subways in major urban areas?

I especially love this quote:

The program will increase visible methods of protecting our passengers and employees, while minimizing inconvenience to riders,” Metro Transit Police Chief Michael Taborn said in a statement announcing the new checks.

Security theater at its worst. If you’re going to do this kind of thing, have the dogs stationed by entrances and sniff away at everyone. These “random” checks are not likely to be “random” at all and may well miss actual threats.

Read more of this Reuters report.

Another example of “normal, everyday (technology aided) activities you can't do while a juror” Would this automatically exempt “Internet addicts?”

Judge Declares Mistrial Because of Wikipedia

"The Palm Beach Post reports that a police officer convicted of drugging and raping a family member will get a new trial because the jury forewoman brought a Wikipedia article into deliberations. Broward Circuit Judge Stanton Kaplan declared a mistrial after Fay Mason admitted in court that she had downloaded information about 'rape trauma syndrome' and sexual assault from Wikipedia and brought it to the jury room. 'I didn't read about the case in the newspaper or watch anything on TV,' says Mason. 'To me, I was just looking up a phrase.' Judge Kaplan called all six jurors into the courtroom and explained that Mason had unintentionally tainted their verdict and endangered the officer's right to a fair trial. Mason does not face any penalties for her actions."

One for the “Swiss Army Folder”

Word Lens Translates Words Inside of Images. Yes Really.

Ever been confused at a restaurant in a foreign country and wish you could just scan your menu with your iPhone and get an instant translation? Well as of today you are one step closer thanks to Word Lens from QuestVisual.

The iPhone app, which hit iTunes last night, is the culmination of 2 1/2 years of work from founders Otavio Good and John DeWeese. The paid app, which currently offers only English to Spanish and Spanish to English translation for $4.99, uses Optical Character Recognition technology to execute something which might as well be magic. This is what the future, literally, looks like.

(Ditto) Converting PDF to Doc Without Changing Layout

Similar tools: PDFtoWord, ConvertPdfToWord and PDFUndoOnline.

An introduction to scripting?

Better Than Batch – A Windows Scripting Host Tutorial

Here at MUO, we love computer automation. For example, Varun covered Sikuli, a tool to write automation scripts, and Guy showed you how to use AutoIt to automate tasks. The cool thing about MSH is that if you have any post-Win 98 PC, you can write a “batch” script in a variety of languages.

Available languages include JScript, VBA, and VBscript. It’s also possible to write scripts in Perl, Python, PHP, Ruby or even Basic if you have the right implementation with the right scripting engine.

… Some of the best sites to find pre-written scripts that you can use or customize include the following:

  • Microsoft Script Center – Straight from microsoft, and includes categories like Office, desktop, databases and active directory

  • Computer Performance – This UK site offers the best selection of VBScripts that I’ve seen online.

  • Computer Education – You’ll find a small collection of scripts here, but they’re very useful and they all work.

  • Lab Mice – An awesome collection of batch programming resources like an assortment of logon scripts.

Interesting research potential. Try “Privacy” or “Cloud Computing”

Cultural Evolution Could Be Studied in Google Books Database

Google’s massive trove of scanned books could be useful for researchers studying the evolution of culture.

In a paper published Dec. 16 in Science, researchers turned part of that vast textual corpus into a 500-billion-word database in which the frequency of words can be measured over time and space.

Their initial subjects of analysis, including cultural trajectories of popular modern thinkers and the conjugation of irregular verbs, hint at what might be done.

… The database is freely available for online queries and complete download.

The Infographic pretty much sums it up!

Graphic: Your Computer Is Going Away

Thursday, December 16, 2010

For my Criminal Justice students. Ubiquitous surveillance just got a new tool! Perhaps this tool will allow you to identify the bad guys from those video images of a bank robbery? Perhaps I could tag politicians as “Left” or “Right?” Let your imagination run wild, as I'm certain the taggers will.

Facial recognition comes to Facebook photo tags

Taking yet another step in the ongoing process of upgrading its photo-sharing service, Facebook announced today that it will soon enable facial-recognition technology--meaning that when members upload photographs and are encouraged to "tag" their friends, they will be able to choose from a list of suggestions.

Thanks to its treasure trove of user photos that have already been tagged, not to mention personal profile photos, Facebook has built up a huge base of data for gauging exactly who's in what photo. There are now 100 million photo uploads per day, according to Facebook, and 100 million "tags" each day as well. Tagging is also a hallmark of Facebook's photo product, which was otherwise bare-bones, difficult to use, and lagged behind competitors at its launch. Being able to annotate each photo with friends' names was largely what propelled Facebook Photos forward.

"Tagging is actually really important for control, because every time a tag is created it means that there was a photo of you on the Internet that you didn't know about," Facebook Vice President of Product Chris Cox told CNET. "Once you know that, you can remove the tag, or you can promote it to your friends, or you can write the person and say, 'I'm not that psyched about this photo.'"

Of course, there will be someone out there who cries foul with regard to how Facebook handles users' personal information or wonders whether this is a sign that Facebook knows too much about us all. Cox explained that there will be an opt-out for the new feature so that if a member does not want to show up in his or her friends' tagging suggestions, they won't.

For my Ethical Hackers

Lessons Learned From the Gawker Hack

The numbers were impressive: 1.3 million user accounts exposed, 405 megabytes of source code lost, and perhaps more important to some, the identity of those leaving anonymous comments potentially revealed. For Gawker, there is a loss of trust that will be difficult to regain. Users are already clamoring for the ability to delete their accounts. [Apparently, this “feature” is not normally built into user-facing systems. Bob] And, on the technical side, all Gawker’s systems will need to painstakingly audited or rebuilt entirely from scratch to prevent the same thing from happening again.

1. First and foremost, DO NOT poke the bear. By taunting the hacker community, especially the vigilante types, Gawker made itself a target unnecessarily. Never claim to be “unhackable.” The hackers outnumber you by several orders of magnitude, and they have more free time. Respect their capabilities. Not to mention the odds are always stacked against defenders. The attackers only have to find one little crack in wall to bring the castle crumbling down.

2. Learn the fundamentals of incident response. Don’t pretend everything is OK when it’s not.

3. Make sure your organization is doing basic security blocking and tackling.

4. Have a knowledgeable security professional in place.

5. Hack yourself first or the bad guys will do it for you.

6. NEVER use the same passwords across online accounts.

… Perhaps the most important lesson is that it will happen again, so everyone needs to be prepared.

Bad enough when Google started watching you from satellites. Then they drove a camera-car down your street. No doubt that now they will want to ride a Segway through your building. What's next? If they can convince realtors to photograph homes, eventually they will have a floor plan for every home.

Beyond The Street, Bing Will Add Interior Views Of Local Businesses From EveryScape

I can't see people running into the street chanting “We're number 25! We're number 25!”

U.S. ranks 25th in the world for Internet connection speed

(Related) What's worse is that there is no technological reason for the US to be so far behind other than the lack of competition (read: free market)

Not So Fast LTE, HSPA Could Become 100 Times Speedier!

Nokia Siemens Networks today promoted a new wireless broadband standard that could offer peak downloads speeds of 672 Mbps, or roughly 100 times faster than the average 3G speeds of today.

Similar to the Sixth Circuit's ruling?

EFF Location Privacy Victory at Third Circuit Stands, With Implications Far Beyond Your Cell Phone

December 15, 2010 by Dissent

Kevin Bankston shares the great news:

In EFF’s second major privacy victory in as many days, the Third Circuit Court of Appeals today denied the government’s request that it reconsider its September decision regarding government access to cell phone company records that reveal your past locations. That means the court’s original opinion — holding that federal magistrates have the discretion to require the government to get a search warrant based on probable cause before obtaining cell phone location records — is now the settled law of the Third Circuit, assuming the government doesn’t seek review by the Supreme Court. Importantly, this victory won’t just provide greater protection for the privacy of your cell phone records but for all other communications records that the government currently obtains without warrants.


This victory is particularly gratifying because the Third Circuit’s decision has implications far beyond cell phone location privacy. The main holding of the case was a general ruling about the federal Stored Communications Act (“SCA”), the portion of the Electronic Communications Privacy Act of 1986 that regulates communications providers disclosure of communications content and records. That statute is regularly used by the government to secretly obtain a broad range of content and records, not just cell phone location records, based not a probable cause warrant but on a much easier to obtain court order that doesn’t require probable cause (often called a “D Order” since they are authorized in subsection (d) of section 2703 of the SCA). For example, the government routinely obtains email content using D orders instead of warrants (you may remember we joined with Yahoo! to beat back such a request just this summer).

The key holding in this case affects the basic operation of the SCA for D Orders. What the Third Circuit held was that, when the government applies for a D Order, the judge has the discretion to deny that application and instead require a warrant in order to avoid potential Fourth Amendment problems. This is an incredibly powerful pro-privacy ruling, especially compared to the government’s position that courts must grant D orders when the government meets the minimal, non-probable cause factual showing that the statute requires. The Third Circuit has clarified that judges can deny D Order applications — for cell phone records, for emails, or anything else — so long as they have reason to believe that the order might violate the Fourth Amendment.

Read more on EFF.

Cyber war: Cheaper than bombing. Makes me wonder what other areas of infrastructure have been target and are just waiting for the “trigger” to be pulled.

Stuxnet Virus Set Back Iran’s Nuclear Program by 2 Years

"The Jpost article states: 'The Stuxnet virus, which has attacked Iran's nuclear facilities and which Israel is suspected of creating, has set back the Islamic Republic's nuclear program by two years, a top German computer consultant who was one of the first experts to analyze the program's code told The Jerusalem Post on Tuesday. Widespread speculation has named Israel's Military Intelligence Unit 8200, known for its advanced Signal Intelligence (SIGINT) capabilities, as the possible creator of the software, as well as the United States.'"

Let the lawsuits begin!

OnLive Awarded Patent For Cloud-Based Gaming

"Cloud gaming provider OnLive has secured a patent for an 'apparatus and method for wireless video gaming.' The patent gives substantial leverage for OnLive over competing brands in the cloud-based gaming market. 'Hundreds of people have worked incredibly hard for more than eight years to bring OnLive technology from the lab to the mass market, not just overcoming technical and business challenges, but overcoming immense skepticism,' said OnLive CEO Steve Perlman. 'It is gratifying to not only see people throughout the world enjoying OnLive technology in the wake of so many doubters, but also receive recognition for such a key invention.'"

For my Computer Security students. Base you decision on the type/amount of information you had to provide.

The Case For Lousy Passwords

"Since the Gawker and McDonald's hack attacks, the web has been overrun with admonishments for using weak passwords. But weak passwords have their place too, says blogger Peter Smith. Like, for example, on Gawker, where he really doesn't care if it gets cracked. 'Life is too short to be worrying about 24 character passwords for trivial sites,' says Smith. And, to put things in perspective, your good passwords are pretty weak too. In a 2007 Coding Horror article, Jeff Atwood points out that the password "Fgpyyih804423" was cracked in 160 seconds by the Ophcrack cracker."

[Get Ophcrack:

Perhaps I'll make my students submit their papers in e-Reader format...

How To Make An ePub File For The iPad, Nook, Kobo & More

With the advent of e-ink devices, and tablets like the iPad, more and more people are doing their reading digitally. If you want your writing to reach a broader audience, you should know how to create files for these devices.

Creating From Scratch Or Editing

Jeffry highlighted two cross-platform tools for creating iBooks earlier this year: Sigil and eCub. Both of these tools are handy if you’re looking to create an ePub from scratch, so read that article, but know Sigil has a key advantage Jeffry didn’t mention: it can edit existing ePub files.

... Lexcycle has a great guide on creating and editing ePub files from scratch, so consider checking that out before getting too deep.

… If none of this is working for you, check out Calibre, the ultimate ebook manager. This program can convert many different formats to ePub, so it’s a great tool to have in your kit.

Very handy way to answer “computer” questions from anyone!

Google launches Teach Parents Tech site

Google has produced 54 how-to videos produced and hosted by Google employees, each of which runs for just under a minute.

Topics covered include such basics as "how to attach a file to an email" or "how to copy and paste" through to "how to find cheap flights."

the YouTube link

This site does not (yet) have very broad coverage but it is definitely one to watch. Try searching for you favorite magazine. Who decided that 1500 words was “Long?” My students would say 15 words is TLTT (too long to text)

Longreads: A Long-Form Content Aggregator

Do you like to read long-form content – articles that are usually more than 1,500 words, and can extend up to a few 1,000 words, from your favorite publications? If you do, then you are sure to like this simple tool called Longreads.

It links to such content every day and archives them in its database which is searchable. So, if you are looking for some gems from NY Times, then you just need to type “New York Times” on the Longreads search bar and hit search.

Similar tools: Sendmeastory, DailyLit, and MaYoMo.

Wednesday, December 15, 2010

Local This is a good thing. Knowing you have a problem is the first step toward finding a solution. On the other hand, knowing someone is vulnerable is the fist step toward a targeted attack.

Colorado’s state computer systems fail “hacker” test in cyber-security audit

December 14, 2010 by admin

Tim Hoover reports that the state’s cybersecurity is not in good shape and that personal information is at “high risk. You can read his report in the Denver Post.

While the news may not be good, kudos are due for hiring a firm to try to hack into the state’s systems to determine just how weak the security really is.

Hoover also reports that we may not have been told about all state breaches:

And while there had been 43 cyber-security incidents reported to the office since 2006, auditors thought the number was higher, noting that some known incidents had not been reported.

And of course, that’s only the incidents they know about and doesn’t include incidents that were never detected (yes, I’m assuming that there have been undetected incidents. Wouldn’t you?)

This is an interesting twist. Failure to revoke the cards allowed the bad guys to charge purchases, then the bank pulled the money back.

U.S. Bank Hit with Class Action Suit Alleging Data Breach Cover-Up

December 15, 2010 by admin

Jason C. Gavejian writes:

Paintball Punks filed a class action suit against U.S. Bank in Hennepin County, Minnesota. The case was subsequently removed on December 6, 2010, to the Minneapolis District Court. In the complaint, Paintball Punks alleges that between August and December 2009 it received 9 orders totaling approximately $11,000, which were fraudulently billed to U.S. Bank-issued cards. The amount was subsequently chargebacked (U.S. Bank tapped into Paintball Punks’ account to recoup the money after payment).

The online retailer asserts that U.S. Bank failed to protect them and other merchants by failing to remedy a known data breach in the Bank’s system. Despite knowledge of those breaches, U.S. Bank allegedly allowed compromised card accounts to remain active, which led to fraudulent credit card transactions with Paintball Punks and other merchants similarly situated, followed by chargebacks that U.S. Bank processed against the accounts of the merchants.

Read more about the lawsuit on Workplace Privacy Data Management & Security Report

Initially, this looked like a major change in thinking. I'll have to read it to understand what actually happened. (A quick scan suggests they DID show harm, but the lower court decision was still Affirmed.)

Starbucks May Be Aren’t Liable for Workers’ ID Theft Risk (updated)

December 14, 2010 by admin

Tim Hull reports the latest on a lawsuit that stemmed from a case involving a stolen laptop in 2008:

Starbucks employees whose personal information was stolen with a company laptop can sue the coffee kahuna for negligence, the 9th Circuit ruled Tuesday.

About 97,000 current and former Starbucks employees were exposed to identity theft in 2008 when an unknown thief stole a laptop that contained their unencrypted names, addresses and social security numbers. Starbucks informed its employees of the theft and provided free credit-watch services to the affected employees.


None of the plaintiffs claimed that they had lost any money or been the victim of a successful identity theft.

A district court dismissed the complaints, finding that the employees had failed to show an injury under Washington law though did have federal standing.

The federal appellate panel in Seattle agreed, finding sufficient evidence to show that the employees had been harmed by the theft, even though their claims were somewhat hypothetical.

Here, plaintiffs-appellants have alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data,” Judge Milan Smith wrote for the court. “Were plaintiffs-appellants’ allegations more conjectural or hypothetical – for example, if no laptop had been stolen, and plaintiffs had sued based on the risk that it would be stolen at some point in the future – we would find the threat far less credible.”

Read more on Courthouse News. The court’s opinion can be found on the Ninth Circuit’s site.

Previous coverage on this site.

This is big, as it’s the first case I can think of where plaintiffs did not demonstrate any financial harm and are talking about other kinds of harm/injury. Of course, the fact that they can proceed with the lawsuit doesn’t mean that they’ll prevail, but it’s still pretty amazing that they got this decision.

Update: I was so excited reading parts of the decision that I totally missed the fact that the court said they affirmed the dismissal of the state level claims. In a separate memorandum, the court explained why it affirmed the dismissal of the state-level claims. It’s not clear to me what would happen if the customers/plaintiffs had fully argued/briefed on the issue of anxiety as harm/injury, but I guess that argument will have to wait for another case.

The risks of Cloud Computing

Google's ChromeOS means losing control of data, warns GNU founder Richard Stallman

Google's new cloud computing ChromeOS looks like a plan "to push people into careless computing" by forcing them to store their data in the cloud rather than on machines directly under their control, warns Richard Stallman, founder of the Free Software Foundation and creator of the operating system GNU.

Two years ago Stallman, a computing veteran who is a strong advocate of free software via his Free Software Foundation, warned that making extensive use of cloud computing was "worse than stupidity" because it meant a loss of control of data.

Now he says he is increasingly concerned about the release by Google of its ChromeOS operating system, which is based on GNU/Linux and designed to store the minimum possible data locally. Instead it relies on a data connection to link to Google's "cloud" of servers, which are at unknown locations, to store documents and other information.

The risks include loss of legal rights to data if it is stored on a company's machine's rather than your own, Stallman points out: "In the US, you even lose legal rights if you store your data in a company's machines instead of your own. The police need to present you with a search warrant to get your data from you; but if they are stored in a company's server, the police can get it without showing you anything. They may not even have to give the company a search warrant."

… But Stallman is unimpressed. "I think that marketers like "cloud computing" because it is devoid of substantive meaning. The term's meaning is not substance, it's an attitude: 'Let any Tom, Dick and Harry hold your data, let any Tom, Dick and Harry do your computing for you (and control it).' Perhaps the term 'careless computing' would suit it better."

… The accountability of cloud computing providers has come under close focus in the past fortnight after Amazon removed Wikileaks content from its EC2 cloud computing service, saying that the leaks site had breached its terms and conditions, and without offering any mediation in the dispute.

(Related) Sort of a “Cloud Computing” failure... When all of your customers' data is protected by the same security, you have a “Single Point of Failure”

Do Walgreens, McDonald’s, and deviantART breaches have common point of compromise?

December 14, 2010 by admin

Dan Goodin reports:

FBI agents looking into the theft of customer data belonging to McDonald’s are investigating similar breaches that may have hit more than 100 other companies that used email marketing services from Atlanta-based Silverpop Systems .

“The breach is with Silverpop, an email service provider that has over 105 customers,” Stephen Emmett, a special agent in the FBI’s Atlanta field office, told The Register. “It appears to be emanating from an overseas location.”

He declined to provide further details.

Read more in The Register, where Dan reports that deviantART specifically names Silverpop in their notification, and that because Walgreens reported in 2009 that it was using Arc Worldwide as its marketing agency (the same agency McDonald’s said they use), the Walgreens breach may also be linked to Silverpop.

In a statement to Crain’s, Silverpop wrote:

Silverpop “was among several technology providers targeted as part of a broader cyber attack,” the company said in a statement. “When we recently detected suspicious activity in a small percentage of our customer accounts, we took aggressive measures to stop that activity and prevent future attempts. Among other things, we unilaterally changed all passwords to protect customer accounts and engaged the FBI’s cybercrime division.”

Stay tuned, I guess.

(Related) A “Single Point of Hardware Failure?”

Hidden Backdoor Discovered On HP MSA2000 Arrays

"A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."

[From the article:

Similar vulnerabilities were recently discovered in Cisco Unified Video Conferencing products, where a linux shadow password file contained three hard-coded usernames and passwords.

… “To put this threat in context, supporting infrastructures for today’s virtualized environments have become a network of access points enabling interaction between systems. Many of these access points are privileged in that they are highly powerful and suffer from relatively poor controls - leading to privileged access point vulnerabilities. Cyber criminals understand the potential of these privileged access points and are using the vulnerabilities to transform the cyber crime frontier.

… In reality, organizations need to look at everything that has a microprocessor, memory or an application/process running – these all have similar embedded credentials that represent significant organizational vulnerabilities.

(Related) Maybe data in the Cloud has similar “Rights?”

Govt violated Warshak’s 4th Amdt rights, but evidence admissible because of “good faith” reliance on SCA – 6th Circuit (Update2)

December 14, 2010 by Dissent

Via Howard Bashman of How Appealing:

Email privacy, on appeal: A three-judge panel of the U.S. Court of Appeals for the Sixth Circuit today issued a very lengthy decision on the latest round of appeals in the case captioned United States v. Warshak.

I haven’t had time to wade through the whole opinion yet, so here’s the court’s summary of their holding on the email privacy aspect of the case:

  1. Warshak enjoyed a reasonable expectation of privacy in his emails vis-a-vis NuVox, his Internet Service Provider. See Katz v. United States, 389 U.S. 347 (1967). Thus, government agents violated his Fourth Amendment rights by compelling NuVox to turn over the emails without first obtaining a warrant based on probable cause. However, because the agents relied in good faith on provisions of the Stored Communications Act, the exclusionary rule does not apply in this instance. See Illinois v. Krull, 480 U.S. 340 (1987).

Their analysis of the search and seizure of Warshak’s emails begins on page 14 of the opinion:

Warshak argues that the government’s warrantless, ex parte seizure of approximately 27,000 of his private emails constituted a violation of the Fourth Amendment’s prohibition on unreasonable searches and seizures. The government counters that, even if government agents violated the Fourth Amendment in obtaining the emails, they relied in good faith on the Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701 et seq., a statute that allows the government to obtain certain electronic communications without procuring a warrant. The government also argues that any hypothetical Fourth Amendment violation was harmless. We find that the government did violate Warshak’s Fourth Amendment rights by compelling his Internet Service Provider (“ISP”) to turn over the contents of his emails. However, we agree that agents relied on the SCA in good faith, and therefore hold that reversal is unwarranted.

I’ll post links to discussion of the ruling tomorrow after blawgers have had a chance to read the opinion and respond.

Update: Wow, there’s some great stuff in the opinion. Here’s a crucial snippet:

Accordingly, we hold that a subscriber enjoys a reasonable expectation of privacy in the contents of emails “that are stored with, or sent or received through, a commercial ISP.” Warshak I, 490 F.3d at 473; see Forrester, 512 F.3d at 511 (suggesting that “[t]he contents [of email messages] may deserve Fourth Amendment protection”). The government may not compel a commercial ISP to turn over the contents of a subscriber’s emails without first obtaining a warrant based on probable cause. Therefore, because they did not obtain a warrant, the government agents violated the Fourth Amendment when they obtained the contents of Warshak’s emails. Moreover, to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.

See also EFF’s coverage of the decision. EFF had filed an amicus brief in the case.

Update 2: See Paul Ohm’s commentary and Orin Kerr’s initial commentary.

A challenge to the Surveillance State?

Europe tells Britain to justify itself over fingerprinting children in schools

December 14, 2010 by Dissent

Bruno Waterfield reports:

The European Commission has demanded Britain justifies the widespread and routine fingerprinting of children in schools because of “significant concerns” that the policy breaks EU privacy laws.

The commissioner is also concerned that parents are not allowed legal redress after one man was told he could not challenge the compulsory fingerprinting, without his permission, of his daughter for a “unique pupil number”.

In many schools, when using the canteen or library, children, as young as four, place their thumbs on a scanner and lunch money is deducted from their account or they are registered as borrowing a book.

Research carried out by Dr Emmeline Taylor, at Salford University, found earlier this year that 3,500 schools in the UK – one in seven – are using fingerprint technology.

Read more in the Telegraph.

An overreaction? Does this result from an aggressive application that flags any site that contains certain keywords or are they backing into it because of an application that checks “unclassified” systems for classified material and WikiLeaks documents might trigger a reaction?

Air Force Blocks NY Times, WaPo, Other Media

The Wall Street Journal is reporting that the Air Force, not content with blocking WikiLeaks and its mirrors, has begun blocking media sites carrying WL documents.

"Air Force users who try to view the websites of the New York Times, Britain's Guardian, Spain's El Pais, France's Le Monde or German magazine Der Spiegel instead get a page that says, 'ACCESS DENIED. Internet Usage is Logged & Monitored'... The Air Force says it has blocked more than 25 websites that contain WikiLeaks documents, in order to keep classified material off unclassified computer systems. ... The move was ordered by the 24th Air Force... The Army, Navy, and Marines aren't blocking the sites, and the Defense Department hasn't told the services to do so, according to spokespeople for the services and the Pentagon."

(Related) Perhaps Richard Stallman was correct (see above) I didn't realize “Erotic Incest Fantasy” was a genre, but I wonder if these were “banned” because of a complaint or because of “certain words.” If the latter, will they also ban Psychology or Criminal Justice textbooks?

Amazon Taking Down Erotica, Removing From Kindles

"The independent writers who publish on Amazon report that erotica books containing incest are being taken down with no explanation by Amazon, and removed from the Kindles of purchasers of the books. Author Selena Kitt writes: 'I want to be clear that while the subject of incest may not appeal to some, there is no underage contact in any of my work, and I make that either explicitly clear in all my stories or I state it up front in the book's disclaimer. I don't condone or support actual incest, just as someone who writes mysteries about serial killers wouldn't condone killing. What I write is fiction.' Kindle's own TV ad features a book with a story line of sex between a 19-year-old and his stepmother, defined in some states as incest ('Sleepwalking' by Amy Bloom)."

Stupid is as stupid does...” F. Gump Note that even stupid people can use a computer...

The taunt of an apparent Facebook thief

… Sometime between 10 a.m. and 12:45 p.m. Friday, a burglar busted through our basement door -- simply kicked through the 80-year-old wood panels -- and took a bunch of stuff.

Just one more example of life in the big city. Except that the apparent thief didn't stop with taking our belongings.

He felt compelled to showboat about his big achievement: He opened my son's computer, took a photo of himself sneering as he pointed to the cash lifted from my son's desk, and then went on my son's Facebook account and posted the picture for 400 teenagers to see. In the picture, the man is wearing my new winter coat, the one that was stolen right out of the Macy's box it had just arrived in.

"I've seen a lot, but this is the most stupid criminal I've ever seen," marveled D.C. police Officer Kyle Roe