Saturday, December 31, 2011


“We know so little about how our system works or what our security does that we are truly ignorant of the security implications” and “We built accounts for you so we could charge higher advertising rates...”
If it’s Friday, it’s time to reset almost 18 million passwords?
December 30, 2011 by admin
Care2 has notified users of a security breach. In its FAQ, the online community said that it discovered the breach on December 27, but as of December 28, “We are currently unable to determine the full extent of the security breach.” The site is forcing a password reset and urging members to change their passwords on other sites if they re-use passwords.
A copy of the e-mail notification sent to members today was forwarded to DataBreaches.net by a recipient:
To All Care2 Members:
We have discovered that Care2.com servers were attacked, resulting in a security breach. The hackers were able to access login information for Care2 member accounts. Our team has worked to secure Care2.com against this type of attack from recurring.
To protect Care2 members we are resetting access to all Care2 accounts. The next time you login to Care2, you will be automatically emailed a new password, which will enable you to access your Care2 account as usual.
To recover your password, you can also visit our password retrieval form http://www.care2.com/go/z/e/Ag5Vq/zLzm/SxwU and enter your username or email. Your password will be emailed to you.
To secure your privacy, we highly recommend you immediately change your password for any accounts that share the password you previously used on Care2.
If you have any questions or concerns, please email us at: care2support@care2team.com.
We sincerely apologize for this inconvenience. We take the security of our members very seriously and are taking these extreme steps to reduce the chances of any possible negative consequences.
Randy Paynter
Founder & President, Care2
Care2′s home page indicates it has 17,900,617 members, but the notification says that the hackers were (only?) able to access login information for a “limited number” of Care2 member accounts. I wonder what they consider “limited number.” And I wonder what other information the hackers acquired.
Significantly, perhaps, a number of commenters noted that they were surprised to learn of a breach involving their login information as they had never signed up for an account. An administrator replied:
To the best of my knowledge, anyone who has ever signed a petition at the Petition Site run by Care2, is automatically given a profile / account. That may be how many of you were added. Also, long ago, Care2 had a number of very popular newsletters, and people who subscribed to those were given profile pages when the newsletters were turned into groups.
So I also wonder whether Care2.com ever sought or obtained consent to create profile pages for individuals who only signed up to receive a newsletter by e-mail.
And I wonder why they are reportedly e-mailing passwords to users in clear text.


Yup! So is oxygen, but I don't see that being banned either... Dang that First Amendment!
wiredmikey writes with word (and the following extract from a CNN report) that
"Nitsana Darshan-Leitner, director of the Shurat HaDin Israel Law Center, sent a letter to Twitter on Thursday asserting that the company is violating U.S. law by allowing groups such as Hezbollah and al Qaeda affiliate al-Shabaab to use its popular online network. ... In her letter, Darshan-Leitner noted that Hezbollah and al-Shabaab are officially designated as terrorist organizations under U.S. law. She also cited a 2010 Supreme Court case — Holder v. Humanitarian Law Project — which upheld a key provision of the Patriot Act prohibiting material support to groups designated as terrorist outfits."


Interesting how quickly this generated a storm of comments...
"Cory Doctorow's keynote at 28C3 was about the upcoming war on general-purpose computing driven by increasingly futile regulation to appease big content. 'The last 20 years of Internet policy have been dominated by the copyright war, but the war turns out only to have been a skirmish. The coming century will be dominated by war against the general purpose computer, and the stakes are the freedom, fortune and privacy of the entire human race.'"
If you don't have time for the entire 55-minute video, a transcript is available that you can probably finish more quickly.


Perhaps this is the future?
A Web Of Apps
It is remarkable to think that we’re in the early days of the app era, when there are already close to 600,000 iOS applications and nearly 400,000 on Android (source: Distimo). The growth of these app ecosystems has been rapid, exponential and shows no signs of slowing down. As well it shouldn’t: the untapped, addressable market for mobile apps involves hundreds of millions of users.
And yet, app discovery remains a challenge. Whether in an app store, on the device itself, or via a third-party service. Whoever cracks the nut of app discovery will have the potential to be the next Google: the search engine of the modern age. The search engine for a web of apps.


I'll review these to find one or two to add to my morning reading.
December 30, 2011
The 2011 ABA Journal Blawg 100
[One from DU: TheRacetotheBottom.org
[Considering:


For those highly suspect (student submitted) files...
How to scan files with multiple antivirus apps all at once
… For added peace of mind, you can scan a file using VirusTotal to get infection reports from several different antivirus programs all at once.


For my Math students...
Friday, December 30, 2011
… To start off the new year, each day this week I'll be posting a list of eleven resources to try in a particular content area. Today's list is for mathematics teachers, tomorrow's list will be for science teachers.


For all my students. Someone spent way too much time on these – grab them while you can.
… Let’s fire up MS Word and take a look at 8 free Office.com templates that help you generate ideas with Microsoft Word. You can use the search field to get to the template if you have a specific term; you can drill down the categories; or you can follow the links below.


Remember when the US used to be able to do this?
China aims to put astronauts on moon


Happy New Year? Perhaps they are feeling frisky because they were able to drive the US out of Iraq?
"The high stakes standoff between Iran and the U.S. over the Strait of Hormuz, the passageway for one-fifth of the world's oil, escalated this week as Iran's navy claimed to have recorded video of a U.S. aircraft carrier entering the Port of Oman and the deputy chief of Iran's Revolutionary Guard Hossein Salami rejected U.S. claims that it could prevent Iran from closing the strait. To drive the point home, Iran has started a 10-day naval exercise in the Persian Gulf to show off how it could use small speedboats and a barrage of missiles to combat America's naval armada while in a report for the Naval War College, U.S. Navy Commander Daniel Dolan wrote that Iran has acquired 'thousands of sea mines, wake homing torpedoes, hundreds of advanced cruise missiles (PDF) and possibly more than one thousand small Fast Attack Craft and Fast Inshore Attack Craft.'"
(Read more, below.)

Friday, December 30, 2011


“Youse guys vote da right way or it's free colonoscopies for everyone!” Isn't there a government funded/supported airport in almost every congressional district? If that's not enough, VIPR expands TSA's scope to trains, buses, elevators, tricycles, roller skates, sneakers...
"It looks like Congress' recent jabs at TSA were just posturing after all. Last Friday, President Obama signed a spending act passed by both houses of Congress. The act gives TSA a $7.85 billion budget increase for 2012 and includes funding for 12 additional multi-modal Visible Intermodal Prevention and Response (VIPR) teams and 140 new behavior detection officers. It even includes funding for 250 shiny new body scanners, which was originally cut from the funding bill last May."


If I read this correctly, by granting the telecomms immunity, the government took on sole responsibility?
Appeals Court Revives EFF’s Challenge to Government’s Massive Spying Program
December 29, 2011 by Dissent
Woo hoo! From EFF:
The 9th U.S. Circuit Court of Appeals today blocked the government’s attempt to bury the Electronic Frontier Foundation’s (EFF’s) lawsuit against the government’s illegal mass surveillance program, returning Jewel v. NSA to the District Court for the next step.
The court found that Jewel had alleged sufficient specifics about the warrantless wiretapping program to proceed. Justices rejected the government’s argument that the allegations about the well-known spying program and the evidence of the Folsom Street facility in San Francisco were too speculative.
“Since the dragnet spying program first came to light, we have been fighting for the chance to have a court determine whether it is legal,” said EFF Legal Director Cindy Cohn. “Today, the Ninth Circuit has given us that chance, and we look forward to proving the program is an unconstitutional and illegal violation of the rights of millions of ordinary Americans.”
Also today, the court upheld the dismissal of EFF’s other case aimed at ending the illegal spying, Hepting v. AT&T, which was the first lawsuit against a telecom over its participation in the dragnet domestic wiretapping. The court found that the so-called “retroactive immunity” passed by Congress to stop telecommunications customers from suing the companies is constitutional, in part because the claims remained against the government in Jewel v. NSA.
“By passing the retroactive immunity for the telecoms’ complicity in the warrantless wiretapping program, Congress abdicated its duty to the American people,” said EFF Senior Staff Attorney Kurt Opsahl. “It is disappointing that today’s decision endorsed the rights of telecommunications companies over those over their customers.”
Today’s decision comes nearly exactly six years after the first revelations of the warrantless wiretapping program were published in the New York Times on December 16, 2006. EFF will now move forward with the Jewel litigation in the Northern District of California federal court. The government is expected to raise the state secrets privilege as its next line of defense but this argument has already been rejected in other similar cases.
For the full opinion in Jewel:
For the full opinion in Hepting:
Previous coverage of Jewel v. NSA on PogoWasRight.org and in Pogo’s way-back archive.


I would really like to hear the arguments here. Why would the DA want information on anyone using the hashtags? (Think of it as the equivalent of asking for all emails with the Subject “Stupid DA Tricks”) If I commented on Occupy Boston's lack of a coherent plan using one of those tags, does that make me an “enemy of the state?”
Update: Judge refuses to quash subpoena of Twitter account used by person linked to Occupy Boston
December 29, 2011 by Dissent
Martine Powers reports:
A Suffolk Superior Court judge today ruled against a motion by lawyers from the American Civil Liberties Union to quash a subpoena for information from Twitter about a user involved with Occupy Boston.
On December 14, Suffolk District Attorney Daniel F. Conley filed a subpoena with the social networking site, asking for account information about a user named “p0isAn0n,” who is believed to have ties to the Occupy Boston movement.
Attorney Peter Krupp, on behalf of the ACLU, filed a motion to invalidate the subpoena based on First Amendment grounds.
But after a sidebar conference between the lawyers that lasted more than 30 minutes, Suffolk Superior Court Judge Carol Ball today ruled against the ACLU.
[...]
Read more on Boston Globe.
I wouldn’t expect First Amendment grounds to work if the criminal investigation concerns the hacking of any web sites. If all the user did, however, was tweet links to a data dump, then there are significant First Amendment issues. Unfortunately, we do not know why the D.A. wants that information and prosecutors generally get pretty wide latitude on criminal investigations.
So again, I ask, what will Twitter do? Will it turn over IP addresses associated with hashtags?
Twitter really needs to make some public statement about how it is handling this matter. Is it waiting to see if the lawyer appeals today’s ruling? Were Twitter’s lawyers in court today? What are they doing about other parties named/referenced in the subpoena where the subpoena appears defective by using hashtags instead of accounts (or the right accounts)?

(Related)
Court seals ACLU challenge to Twitter subpoena–Statement by the ACLU of Massachusetts
December 29, 2011 by Dissent
Following today’s court ruling where the court refused to quash the Twitter subpoena I’ve been covering on this blog, the ACLU of Massachusetts released the following statement:
We are disappointed and concerned that a Suffolk Superior Court judge today held a secret hearing over the objections of lawyers from the American Civil Liberties Union of Massachusetts, and then impounded all documents and motions filed in the case.
The matter involves a challenge to an already publicly-available and widely-reported administrative subpoena issued by the Suffolk District Attorney’s office on December 14, 2011 to Twitter, seeking personally identifying information for an anonymous Twitter user, as well as information on anyone “associated with” two Twitter hashtags: #d0xcak3 and #BostonPD. Twitter hashtags are essentially key words used to indicate a topic of conversation.
“The ACLU believes that courtrooms and court proceedings should be open to the public, except in rare and extraordinary circumstances,” said Carol Rose, executive director for the ACLU of Massachusetts. “Secret court proceedings, particularly proceedings involving First Amendment issues, are troubling as a matter of both law and democracy. In addition, the manner in which the administrative subpoena in this case was used, and its purported scope, is equally troubling and, in our opinion, well beyond what the Massachusetts statute allows.”
At the request of the government, and over the objection of ACLU attorneys, Judge Carol Ball today heard nearly 30 minutes of argument at sidebar–meaning that arguments by the attorneys were closed to the public, with several minutes of the hearing held with the judge hearing only attorneys from the prosecutor’s office and excluding the ACLU attorneys. Thereafter, the judge ruled that the record of the proceedings and all documents filed by the parties were impounded by the court.
Attorneys on the case are Peter Krupp of Lurie & Krupp, LLP; John Reinstein, senior legal counsel, and Laura RĂ³tolo, staff attorney, of the ACLU of Massachusetts; and Aden Fine, staff attorney with the national ACLU Speech, Privacy and Technology Project.
This is where I wish a big mainstream news outfit – like, say, Associated Press – would go fight the seal as a matter of public interest. If the Fourth Circuit dealing with the DOJ/WikiLeaks case can realize that some things should be publicly available, I would hope the Massachusetts court would appreciate the need for as much as transparency as possible.


...it comes FREE with your social network!
December 29, 2011
EPIC Sues DHS Over Covert Surveillance of Facebook and Twitter
"EPIC has filed a Freedom of information Act lawsuit against the Department of Homeland Security to force disclosure of the details of the agency's social network monitoring program. In news reports and a Federal Register notice, the DHS has stated that it will routinely monitor the public postings of users on Twitter and Facebook. The agency plans to create fictitious user accounts and scan posts of users for key terms. User data will be stored for five years and shared with other government agencies. The legal authority for the DHS program remains unclear. EPIC filed the lawsuit after the DHS failed to reply to an April 2011 FOIA request. For more information, see EPIC: Social Networking Privacy."


No information is gathered from the suspect or his phone. Data comes from the Cell Provider's logs. Cheap way to avoid all that legal stuff?
De: 440,783 “Silent SMS” Used to Track German Suspects in 2010
December 29, 2011 by Dissent
Sean of F-Secure has an eye-opening blog post today:
… one of the most interesting things, from our point of view, was [Karsten] Nohl’s brief reference to recent reports (Dec. 13th) about various German police authorities having used nearly half a million “Silent SMS” to track suspects in 2010.
[...]
The Federal Ministry of the Interior provided details on December 6th. (PDF)
In the screenshot below, you can see the number of messages sent by three authorities since 2006.
[...]
So what exactly does this mean?
Well, basically, various German law enforcement agencies have been “pinging” mobile phones. Such pings only reply whether or not the targeted resource is online or not, just like an IP network ping from a computer would.
But then after making their pings, the agencies have been requesting network logs from mobile network operators. The logs don’t reveal information from the mobile phones themselves, but they can be used to locate the cell towers through which the pings traveled. And thus, can be used to track the mobile targeted.
Read more on F-Secure.
Can law enforcement in the U.S. legally use such silent SMS pings? Anyone know?


Business Opportunity? Buy the copyrights to all those old medical journals? Perhaps the rights to “How to file a copyright infringement lawsuit” are for sale?
"A recent New England Journal of Medicine editorial talks about the mini-mental state examination — a standardized screening test for cognitive impairment. After years of being widely used, the original authors claim to own copyright on the test and 'a licensed version of the MMSE can now be purchased [...] for $1.23 per test. The MMSE form is gradually disappearing from textbooks, Web sites, and clinical tool kits.' The article goes on to describe the working of copyright law and various alternative licenses, including GNU Free Documentation License, and ends with the following suggestion: 'We suggest that authors of widely used clinical tools provide explicit permissive licensing, ideally with a form of copyleft. Any new tool developed with public funds should be required to use a copyleft or similar license to guarantee the freedom to distribute and improve it, similar to the requirement for open-access publication of research funded by the National Institutes of Health.'"


In some cases these are the only backups users have. In other cases these are the only copies. Should/Do we care?
December 28, 2011
Commentary - Online Archives Disappear Along With Unique Collections
… This article by Matt Schwartz, with reporting by Eva Talmadge, in Technology Review, provides insight into the work of some individuals with a mission is to salvage the "intellectual" property of millions of web users whose terabytes of words, work and documents are disappearing despite quick, creative and technologically adroit efforts to save what can be called modern internet "history" on a global scale. This article documents some of the challenges in the struggle to manage massive data loss, the folks who are data defenders, and how truly valuable libraries collections are in serious danger. Variable associated with digitizing collections (copyright, cost, shear volume of the task, and global conflict to name just a few), continue to impact this dynamic problem.
  • "People tend to believe that Web operators will keep their data safe in perpetuity. They entrust much more than poetry to unseen servers maintained by system administrators they've never met. Terabytes of confidential business documents, e-mail correspondence, and irreplaceable photos are uploaded as well, even though vast troves of user data have been lost to changes of ownership, abrupt shutdowns, attacks by hackers, and other discontinuities of service. Users of GeoCities, once the third-most-trafficked site on the Web, lost 38 million homemade pages when its owner, Yahoo, shuttered the site in 2009 rather than continue to bear the cost of hosting it."


Can't imagine why anyone would want to make anonymous calls? Have you been reading my Blog? This one's fir Android...
At times, revealing your phone number to somebody is not the wisest decision – you might be unwantedly contacted [or subpoenaed Bob] after your initial correspondence. Fortunately there are anonymous numbers that can be used to call and text others.


Whatever you do, don't install this on your thumb drive and use it to hack your friend's (or the school's) WiFi...
How to find your Wi-Fi password
Fortunately there's an easy-to-use program that can retrieve the security information for networks saved on your computer.
Step 1: Download WirelessKeyView (or the 64-bit version of WirelessKeyView) to a computer that can connect to the wireless network.

(Related)
"Just a day after security researcher Stefan Viehbock released details of a vulnerability in the WiFi Protected Setup (WPS) standard that enables attackers to recover the router PIN, a security firm has published an open-source tool capable of exploiting the vulnerability. The tool, known as Reaver, has the ability to find the WPS PIN on a given router and then recover the WPA passphrase for the router, as well. Tactical Network Solutions has released the tool as an open-source project on Google Code, but also is selling a more advanced commercial version."

Thursday, December 29, 2011


This is another bankrupt firm. Apparently, everyone who cared about protecting important data left long ago... (along with those who knew tapes from disks)
UK: Information on 1.4m customers lost by Cattles Group Birstall headquarters
December 29, 2011 by admin
More than a million customers have had their personal details “lost” after a data mix-up at a loan firm’s Birstall headquarters.
The Cattles Group, which owns Welcome Finance loans firm, has written to customers informing them that two back-up storage discs with private information about 1.4 million customers have been misplaced.
Marlene Proctor, 31, from Wibsey, was one of the customers who received a letter saying the firm cannot account for her personal details, including bank details, national insurance number, date of birth and address.
[...]
As well as customers’ details, the lost IT discs included human resource data about staff who are part of the Cattles Group.
[...]
The Cattles spokesman said: “The storage tapes contain low-level personal data relating to 1.4 million customers, limited to names and addresses for 800,000, but also including date of birth and payment history for 600,000.
“The tapes also include HR data relating to staff in employment with the Cattles Group up to October 2010. A process to inform affected customers and employees is under way. There is no evidence that the information has fallen into the wrong hands or been used maliciously.
Read more on Telegraph & Argus.
h/t, AlertBoot, who point out some of the contradictions in the reports.
When companies go bankrupt or fold, we have often seen records treated with less than the scrupulous security they require. Over the years, I’ve reported cases where boxes of medical records are left behind or cartons of employee records are just thrown out, etc. Was the lack of adequate security in this case related to the firm having gone bankrupt? Hard to say, as the lack of proper security may just be symptomatic of other problems the firm had that resulted in bankruptcy. We may never know, but that’s a lot of personal data to be unaccounted for.


I like it!
WV: Bank says Va. company failed to prevent ID theft
December 28, 2011 by admin
Here’s another breach I hadn’t heard about. Interesting to see the bank suing the firm for negligence in security. Kyla Asbury reports:
The Bank of Charles Town is suing N/L Entertainment after it claims the company failed to prevent the theft of debit card and credit information of its customers at the Alamo Drafthouse Cinemas in Winchester, Va.
[...]
The bank claims at least 232 purchases were made using Bank of Charles Town customers’ debit cards.
As a result of the defendant’s negligence, the Bank of Charles Town has been damaged in the amount of $29,919.74 plus interest, according to the suit.
[...]
Jefferson Circuit Court case number: 11-C-436
Read more on: The West Virginia Record.
I’ve emailed the law firm requesting a copy of the complaint as this is one I want to follow.


Granted American Thinker leans a bit to the right, but even the Post noticed some new bits...
Data-Crazy Department of Education Throws Privacy Out the Window
December 29, 2011 by Dissent
Ann Kane is singing my tune:
Data is king in the progressives’ world. The more they have on you, the more they can control you.
A New York Post article brings to light the slippery slope of the State’s intrusion into the private lives of students and their families. Obama’s Department of Education has rewritten the rules for collecting data on American students. In a final version of the Family Educational Rights and Privacy statute published on December 2, 2011, the DoEd, within the space of 57 pages, effectively and comprehensively wills itself to be chief facilitator of state gathered data of public school children Pre-K through college.
The DoED claims there won’t be a central office to which all the states report; the states will have the option of sharing their own databases with other interested organizations. But students’ private health records, grades, and family information will be available to anyone who can provide a reason to have them.
Read more on American Thinker
[From the Post article:
Buried within the enormous 2009 stimulus bill were provisions encouraging states to develop data systems for collecting copious information on public-school kids. To qualify for stimulus money, states had to agree to build such systems according to federally dictated standards. So all 50 states either now maintain or are capable of maintaining extensive databases on public-school students.


This will conflict with the “no cellphones in the courtroom” rules.
December 27, 2011
iPhone Application Support for FedCtRecords (Federal Court Records)
"This application allows public access to court electronic records for Federal District Courts across the United States. Users MUST be registered, have a valid PACER account, to use this application. New users may register here PACER. This application is 'CASE SEARCH' only, therefore documents CANNOT be filed using this applciation, [Opportunity? Bob] users can only view documents and information that is currently filed. It is important to note that a PACER account is separate from any filing account. A PACER account is required for document access in all federal courts."


Cheap, simple videos – but students who pass my classes love them!
Khan Academy Jumps To 4M Uniques Per Month (Up 4X From Last Year)
… Currently the top post on Reddit, Khan has spent the last two hours detailing everything from their recent growth and his workflow to the team’s plans for the future.
The Highlights So Far:
  • Over the last month, Khan Academy saw 4 million unique users. That’s up from 1 million in the same period last year, and up from 3.5 million in October (asked by dbigthe)
  • “I’d say that 90% [of the videos are shot] in 1 take. 99% are 2 takes.” [That explains a lot, actually Bob]
  • I will definitely do much more advanced mathematics in the next year than what we have now.” (This resulted in Michael Nielson, leading quantum computing expert and author of the standard text on the subject, to offer his assistance right in the thread)


So do I wait for the Aakash or pay nearly 3 times as much for immediate satisfaction?
"The HP TouchPad Go, which is a smaller version of the company's signature TouchPad, may go on sale for $99 like its predecessor. The tablet features a 1023 x 768 resolution display, runs on webOS, and also has a removable cover with soft-touch coating to minimize fingerprints on the 7-inch screen. HP's new tablet also comes with a removable battery, 32GB of storage, a 3G radio, a five-megapixel camera and LED flash.HP designed the TouchPad Go around the same time as the larger model, but it failed to reach production stages when the company decided to kill off all devices running on the doomed webOS. If the tablet indeed sells for $99, it would be the cheapest tablet in the world besides the Aakash tablet, which was released by the Indian government for $35."

Wednesday, December 28, 2011


Hackers follow the activities (achievements) of other hackers. But China isn't South Korea, so I don't expect them to change their mind.
Chinese Hacks May Be a Challenge to Real-Name Registration
December 27, 2011 by admin
C. Custer writes that the recent release of so many old (and large!) Chinese databases might be politically motivated as a challenge to China’s real-name registration policy:
The data released on the internet last week was already widely available in hacking circles, according to Wan Tao, the founder of a popular hacking online community. Wan told the Dongfang Daily that the reason the data looks so old (most of the information released involves pre-2009 usernames and passwords) is that it is old. Apparently, the databases have been floating around in hacker circles for some time, and hackers told the paper that whoever released the data must have done it for fun, as there is no way anyone could make money from such an old, widely-circulated database.
Fun, or to make a point about the increasing focus on real-name registration systems, which China’s biggest microblogs have already put into place. Wan told the Dongfang Daily that the release of the data could potentially be understood as a challenge to the emphasis on real-name registration systems; a (relatively) victimless way of demonstrating that storing people’s real identities on web servers might have unintended consequences. “Excessively emphasizing real-name registration has risks,” said Wan, “and at present, risk assessment has not been sufficient.”
Read more on Penn-Olson.com.
Although it’s purely speculative, it would make sense as a motive, as we saw South Korea walk back from its real-name registration policy after some very huge hacks there this year.


You have to wonder if these little design flaws are deliberate...
"There is a newly discovered vulnerability in the WiFi Protected Setup standard that reduces the number of attempts it would take an attacker to brute-force the PIN for a wireless router's setup process. The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak, affecting the security of millions of WiFi routers and access points. Security researcher Stefan Viehbock discovered the vulnerability (PDF) and reported it to US-CERT. The problem affects a number of vendors' products, including D-Link, Netgear, Linksys and Buffalo. 'I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide,' Viehbock said."


An interesting take on those “extended service plans” After two years, most electronic devices are obsolete, so why would you (pre) pay someone to fix or replace it? If AT&T had sold these would they still be repairing rotary dial phones?
Italy Fines Apple $1.2 Million Over AppleCare Sales
Today, Italy’s antitrust body has fined Apple, Inc. $1.2 million (900,000 euros) for pushing customers to buy its AppleCare Protection Plan without adequately disclosing the support that already comes with their device. In Italy, companies are actually required by law to provide two years of free support to customers, which, according to the Italian Antitrust Authority, was not clearly explained to Apple customers either online or at the point-of-sale.
This is not Apple’s only legal trouble in the EU. The company is also involved in patent litigation with Samsung and in a price-fixing case with e-book publishers.


Lawyers and social in the same sentence?
December 27, 2011
Survey: Social Media in the Legal Sector
"Vizibility and LexisNexis recently conducted a survey to help shed light on the use of social media in legal services marketing. To illustrate the findings, the results have been released as an infographic, available below. View the announcement here. The research suggests a high degree of reliance on broadly defined social media marketing programs, with 81% of survey participants reporting they already use social media marketing tools and another 10.1% saying they plan to deploy social media marketing elements within six months. Furthermore, reliance on social media tools and how they’re measured differ significantly by firm size. The survey found that a clear majority of participants consider social media an important part of their overall marketing strategy, with nearly half (48.5%) reporting that social media is “somewhat important” while another 31% believe the tools are “extremely important” to their total marketing efforts. Click a preview below to view the infographic at full size. The infographic is available in both black and white versions."

Tuesday, December 27, 2011


“That's where the people is...” to miss-quote Willie Sutton.
Attacks on Chinese sites continue: Now it’s 40 million users of Tianya who get the bad news (updated)
December 26, 2011 by admin
Zheng Yi reports:
The registration details of about 40 million users of tianya.cn, a big social networking site, were found to have been leaked on Sunday, following last Thursday’s discovery that user information had been leaked from several other websites.
According to Web users, tianya.cn was hacked and some 40 million users’ names and passwords were accessed. The details had been stored in clear text format instead of being encrypted, the Chengdu Evening News reported.
A tianya.cn customer service staff member who wished to remain anonymous confirmed the leak and said it was being investigated.
“The released information belongs to users who registered on our website before November 2009, when we saved information in clear text format. After that we started using encryption,” she said.
Read more on Global Times.
China.org.cn and ShanghaiDaily.com also report the breach, the latter adding that although there has been no official confirmation of some breaches I previously noted on this blog:
More profiles were later found online, including 20 million from 7k7k.com and 8 million from duowan.com, both gaming sites, and 5 million from SNS website renren.com, the newspaper said.
Update: Renren has reportedly denied that they had any breach or ever stored passwords in clear text.

(Related) Is this why?
"China is increasingly operating an online parallel universe where social media clones 'mimic the functions of the most popular, internationally recognized social media applications, such as Facebook and Twitter. The replicas, however, come with a major catch: they systematically comply with the Chinese Communist Party’s strict censorship requirements.' They are satisfying the growing demand of hundreds of millions of Chinese citizens for social media tools, reducing incentives for them to circumvent the 'Great Firewall,' Freedom House warns. Testing by researchers found that a search for the names of seven prominent Chinese lawyers, activists, and journalists on Sina Weibo returned no results, only an Orwellian notice that 'According to related laws and policy, some of the results are not shown here.'"


Perspective: I'm a “Bah, humbug!” kind of guy, so I'm looking for a good anti-social network... (Seriously, worth reading.)
December 25, 2011
ComScore: Top 10 Need-to-Knows About Social Networking and Where It’s Headed
  • "The importance of social networking in today’s online experience cannot be overstated. Social networking is the most popular online activity worldwide accounting for nearly 1 in every 5 minutes spent online in October 2011, and reaches 82 percent of the world’s Internet population, representing 1.2 billion users around the globe. This report analyzes the current state of social networking activity around the globe, providing key insights into how social networking has influenced the digital landscape and implications for marketers operating in this social world."

Monday, December 26, 2011


I thought this centered on the fact that IMDB added information to her resume information. In other words, she had paid to create a resume online and IMDB added some personal info they were privy to because they had her credit card info. Sounds like that argument was largely ignored...
Actress Forced to Reveal Name in IMDB Lawsuit
December 25, 2011 by Dissent
Matthew Belloni reports:
The actress suing Hollywood information database IMDb for listing her true age cannot move forward with the case unless she reveals her identity, a federal judge has ruled.
In a sharply-worded decision issued on Friday, U.S. District Court Judge Marsha Pechman found that while the anonymous actress who sued for $1 million fears blacklisting and other retribution in Hollywood if her true identity is known, “the injury she fears is not severe enough to justify permitting her to proceed anonymously,” the ruling states.
Read more on The Hollywood Reporter.


A contract of verbal assurances? Could get interesting. Absent any evidence (emails for example) could the company prove they had any interest in this blog before the lawsuit?
A Dispute Over Who Owns a Twitter Account Goes to Court
… In October 2010, Noah Kravitz, a writer who lives in Oakland, Calif., quit his job at a popular mobile phone site, Phonedog.com, after nearly four years. The site has two parts — an e-commerce wing, which sells phones, and a blog.
While at the company, Mr. Kravitz, 38, began writing on Twitter under the name Phonedog_Noah, and over time, had amassed 17,000 followers. When he left, he said, PhoneDog told him he could keep his Twitter account in exchange for posting occasionally.
The company asked him to “tweet on their behalf from time to time and I said sure, as we were parting on good terms,” Mr. Kravitz said by telephone.
And so he began writing as NoahKravitz, keeping all his followers under that new handle. But eight months after Mr. Kravitz left the company, PhoneDog sued, saying the Twitter list was a customer list, and seeking damages of $2.50 a month per follower for eight months, for a total of $340,000.


Data Mining & Data Analytics: because there's money to be made!
The joys of real-time data analysis for online retailers
There are undoubtedly a number of aspects to the growth in online sales. But after spending some time with a few of the major online retailers last week--including one who might not be considered a "retailer" in the traditional sense, I realized that the online world has a huge competitive advantage in its predilection toward data analysis with actionable near real-time results.
Amazon's suggested items and Apple's accessory push over the holidays are basically "we know this, so we suggest that" approaches toward customer loyalty that have been very successful. But taking advantage of what we know via programmatic interactions between human and browser or mobile phone is being greatly extended into gaming services such as Zynga, which can very specifically target a user with an upsell or offer new item based on the analysis they perform in the course of gameplay.


A rose by any other name is a petunia? Would the average MBA be concerned with revenue or profit? Does a marginal cost of (virtually) zero make up for the lost replacement market? Are they suggesting that after 26 reads the average library book needs replacing? Is there a business opportunity here similar to that in the Music industry?
"The NY Times is running a piece on the tug of war between publishers and libraries for e-book lending. In one corner are the publishers, who claim that unlimited lending of e-books 'without friction is not a sustainable business model for us.' For example, Harper Collins claims in this corporate statement that unlimited lending would lead to a decrease in royalties for both the publisher and the writers. The NYT author further states that 'To keep their overall revenue from taking a hit from lost sales to individuals, publishers need to reintroduce more inconvenience for the borrower or raise the price for the library purchaser.' Their current solution is to limit the number of readings to 26 before a book license must be renewed. In the other corner are the libraries, who are happy that e-books are luring people back to libraries, bringing with them desperately needed additional funding. With e-book sales going extremely well this year and the introduction of more capable e-readers, this debate is likely to get worse before it gets better. The Guardian also has an interesting related piece on the pricing practices of the Big Six publishers."


Handy for making a handout?
dotEPUB is a web tool that lets you convert webpages into ePub documents so you can read them on your favorite device.
You can use dotEPUB as a browser bookmarklet for Chrome, Safari, Firefox or even as a Chrome extension. Simply click on the button and the tool will convert the webpage being viewed to an ePub document. You can also use a widget to install this conversion service on your website, thereby allowing your website visitors to convert your webpage into an ePub document. These documents can easily be transferred or emailed to your tablet or eReader.

(Related) Same goal, but simpler...
With Marker.to, you can highlight important information on any website you are browsing. The highlight version of the webpage can then be shared with anyone using a specific URL created by the service. That URL can be shared on Twitter, Facebook or via email with any friend or colleague. Once installed, a small pen icon will appear right next to your address bar. All you have to do is click on that icon and start highlighting important points from any article. If you want, you can change the color of the highlight as well.
  • Also read related articles:


Change is hard! This video puts the arguments against pushing new technology into the classroom in perspective. Unfortunately, it's not funny...
Technology Integration in the Classroom

Sunday, December 25, 2011


Government probably never promised to keep everything confidential. It gets back to the “public information” vs. “analyzed, categorized and published information” debate.
Office of the New York City Public Advocate Hacked
December 24, 2011 by admin
Okay, this is bad. So bad that if it had been published before I wrote my “worst breaches of 2011” post, it would have probably made the list.
The Office of the New York City Public advocate was hacked and the entire database appears to have been dumped, including thousands of pages of highly personal details of those who sought the public advocate’s assistance via a form on their web site: names, addresses, telephone numbers, e-mail addresses, medical conditions, financial woes, and reports of abuse and domestic violence as well as the expected complaints about landlords, construction, noise, and rats and mice — lots and lots of rats and mice. The requests for assistance appear to go back to April 2010, raising the question as to why such old material was still on the server instead of being archived or moved offline.
Politically, exposure of reports of alleged police misconduct and city government incompetence should be embarrassing to the agency. That is, if the mainstream media ever find out about the breach and journalists decide to work their way through the entries.


IT has faced this problem AT LEAST since the early days of Apple computers (with VisiCalc) IT tried to ban or at least avoid responsibility for PC's (Little machines for little problems), local area networks, even phone systems (the early link to the Internet)
"The BYOD (bring your own device) phenomenon hasn't been easy on IT, which has seen its control slip. But for these five technologies — mobile devices, cloud computing services, social technology, exploratory analytics, and specialty apps — it has already slipped, and Forrester and others argue IT needs to let go of them. That also means not investing time and money in all the management apps that vendors are happy to sell to IT shops afraid of BYOD — as this post shows, many just won't deliver what IT hopes."


If your insurance company required you to follow “Best Practices” to collect on your policy, would you comply? (I've got five years of examples saying “No!”)
"The high profile hacks to Sony's systems this year were quite costly — Sony estimated losses at around $200 million. Their insurance company was quick to point out that they don't own a cyber insurance policy, so the losses won't be mitigated at all. Because of that and all the other notable hacking incidents recently, analysts expect the cyber insurance industry to take off in the coming year. 'Last October, the S.E.C. issued a new guidance requiring that companies disclose "material" cyber attacks and their costs to shareholders. The guidance specifically requires companies to disclose a "description of relevant insurance coverage." That one S.E.C. bullet point could be a boon to the cyber insurance industry. Cyber insurance has been around since the Clinton administration, but most companies tended to "self insure" against cyber attacks.'"


A project for Computer Law students?
"I am a developer and released some code at one point under GPLv2. It's nothing huge — a small Drupal module that integrates a Drupal e-commerce system (i.e. Ubercart) with multiple Authorize.net accounts — but very useful for non-profits. Earlier today I discovered that a Drupal user was selling the module from their website for $49 and claiming it was their custom-made module. I'm no lawyer, but my perspective is this violates both the spirit and law of GPLv2, most specifically clause 2-b: 'You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.' Am I correct in my understanding of GPLv2? Do I have any recourse, and should I do anything about this? I don't care about money, [Consider everything an attorney fee? Bob] I just don't want someone selling stuff that I released for free. How do most developers/organizations deal with licensing infringements of this type?"


Is this a real concern, or does Putin have adequate control? If “Arab Spring” was hot, imagine a “Russian Winter”
Protesters target Putin for their 'Russian Winter'
TENS of thousands of people fed up with Vladimir Putin's domination of Russian politics and his perceived arrogance towards them jammed one of Moscow's broadest avenues to protest, vowing to keep building the pressure until the long-time leader is driven from power.
''Russia without Putin!'' the crowd chanted as it protested against alleged fraud during recent parliamentary elections in which Prime Minister Putin's United Russia Party garnered nearly 50 per cent of the vote.

Saturday, December 24, 2011


Does this mean we have a working definition of “An Act of CyberWar?” Where do we draw the line? If some kids tries to access the Pentagon's servers, mistakenly searching for “World of Warcraft” tips, will the NSA fry his computer? (Or send a drone over with a missile?)
"Congress has recently authorized the use of offensive military action in cyberspace. From the December 12th conference on the National Defense Authorization Act, it states,
'Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, Allies and interests, subject to: (1) the policy principles and legal regimes that the Department follows for kinetic capabilities, including the law of armed conflict; and (2) the War Powers Resolution.'
According to the FAS, 'Debate continues on whether using the War Powers Resolution is effective as a means of assuring congressional participation in decisions that might get the United States involved in a significant military conflict.'"


Everyone has an opinion. (and a list)
The six worst data breaches of 2011
December 24, 2011 by admin
If you’re looking for the biggest breaches of the year in terms of numbers affected, you can find them over on DataLossDB.org or in others’ reviews. Certainly there were some really big breaches this year, but those were not necessarily the worst, in my opinion. So here’s my short list of the year’s worst breaches involving personally identifiable information. In chronological order:
1. The HBGary Federal hack.
I don’t claim to be a security expert, but if you’re making the claim, then having your server successfully attacked and all your professional correspondence exposed on the web should be seriously embarrassing. Not only should HBGary Federal have been embarrassed, but the February attack also exposed – and brought into negative public light – a well-known law firm. From a public relations standpoint, this breach was an in-your-face and up-your-left nostril attack that should have put everyone on notice that both data security and the collective known as Anonymous needed to be taken more seriously. In terms of immediate impact, after the firm’s emails became public, the Chamber of Commerce and Bank of America cut all ties with HBGary. Two other firms that had collaborated with them – Berico Technologies and Palantir – also cut ties with them. By the end of the year, however, HBGary CEO Gary Hoglund said that the breach had actually helped their business. Good for them, but not so good for others, perhaps?
2. Texas Comptroller’s Office web exposure incident.
In April, Texas Comptroller Susan Combs reported that the personal information of 3.5 million people had been accidentally disclosed on the web for quite a while – including Social Security numbers, dates of birth and other personal information. No hack necessary to get a goldmine of information for identity theft. Talk about shooting yourself in the foot…
3. The Arizona Department of Public Safety hack.
A hack by LulzSec in June also makes my list of worst breaches of the year. In a politically motivated attack that presaged other “AntiSec” or political attacks, the hackers released personal information on members of Arizona law enforcement and their families. For the rest of the year, releasing personal information on employees and their families became almost routine, despite the fact that the hackers occasionally recognized that calling the exposure of innocent uninvolved people “collateral damage” was not particularly acceptable to many members of the public.
4. The stolen SAIC/TRICARE backup tapes.
There were some massive health care sector breaches this year, but the SAIC breach was particularly bad for a few reasons. Unencrypted backup tapes with medical data on 5.1 million members of the military and their dependents were left in an employee’s car for 8 hours and were stolen. This was not the first time SAIC had unencrypted backup tapes stolen. In fact, it was the second time since 2010. Despite that and other breaches they have had in recent years, they continue to get huge government contracts. Members of Congress have now asked why.
5. Insurance Corporation of British Columbia insider breach.
There’s a lot we don’t know about this breach as yet, but it seems that an employee of the insurance company accessed and then disclosed information on 13 people who were later either shot at or were the victims of arson. Scarily, the employee also accessed information on 52 other people. Will they become victims, too? The RCMP are investigating, but this appears to be one of those breaches where there can be real and serious harm that has nothing to do with ID theft.
6. Hemmelig.com hack.
Hackers downloaded the entire database of over 26,000 users of Hemmelig.com, a Norwegian site that includes the sex trade. The downloaded material, which includes images and very personal messages, was dumped on the web. It seems only a matter of time before we start seeing embarrassing revelations about public figures as well as private citizens.
So that’s my short list. Did I leave out your candidate for worst of the year? If so, what was it?


This is going to be really popular! “Would you like some candy, little girl?”
"What do you do when you spend over a billion dollars on products targeted specifically for adults? Simple, just put a device on your pudding dispensing vending machines that scans faces, and denies the delicious food to the kiddies. The Minority Report-like device will apparently judge the age of the individual based on the space between their eyes and ears. If the criteria is not met, the vending machine will shut down and ask the individual to step away from the machine. There are some vending machine combos that this makes sense for, but seriously — pudding?"
[From the Comments: The Japanese Cigarette vending machines with facial recognition were pulled, when they discovered that holding up a scale photo or magazine picture would pass the age check.


Clearly, DA's need guidance and not just about clinging to antediluvian technologies. Perhaps a paper explaining things like the Streisand Effect, Social Networks that don't toss their customers under the bus, etc. We already have plenty of truly bad examples...
Twitter gets subpoena for account info related to OccupyBoston, notifies users
December 23, 2011 by Dissent
This is getting ridiculous. Really.
Twitter received an administrative subpoena via fax [Patented 1843 Bob] on December 14 from the District Attorney of Suffolk County, Massachusetts. The subpoena indicates that pursuant to a criminal investigation by the Suffolk County D.A.’s office and the Boston Police Department, Twitter is to provide, within 14 days,
All available subscriber information, for the account or accounts associated with the following information, including IP address logs for account creation and for the period December 8, 2011 – December 13, 2011:
Guido Fawkes
@p0isAn0N
@OccupyBoston
#BostonPD
#d0xcak3
Yes, you read that correctly. The D.A.’s office is seemingly seeking account information associated with hashtags.
And yes, the account for Occupy Boston is @Occupy_Boston and not @OccupyBoston.
And yes, there are over 30 “Guido Fawkes” accounts on Twitter. Is the D.A. demanding non-content account information on all of them?
If ADA Benjamin Goldberger and Sgt. Detective Joseph Dahlbeck get a lot of ridicule, they may want to consider whether they did their homework before issuing the subpoena.
Unlike the DOJ/Twitter Order, which barred Twitter from notifying users of the order for their non-content data, the D.A.’s subpoena asks Twitter not to disclose the subpoena to users to protect the “confidentiality and integrity of the ongoing criminal investigation.” Twitter notified the users, however, and the Twitterverse is lighting up with protests over what appears to be an attempt to invade the privacy of users who engaged in protected political speech.
As to the stern caution on the cover page of the fax that dissemination, distribution, or copying of the contents of the fax is “strictly prohibited,” well, suffice to say that copies of the subpoena are already posted on a few sites.
When will law enforcement learn that if tries to go after Twitter users’ information, Twitter will do what it can to notify users, and once it has done so, the situation will be broadly disseminated and discussed?
You can keep up with some of the developments on http://privacysos.org/blog and on Twitter, of course. And of course, I’ll be watching this matter, too, and wondering again why Twitter doesn’t make itself less useful to law enforcement by rolling over IP logs after 24 hours.

(Related) Obviously, you can find experts to help you use technology...
"Brandon Rittiman reports that White House officials launched a Twitter campaign Tuesday to put pressure on Congress to reach a deal extending the payroll-tax cut. Using the Twitter hashtag #40dollars, the White House successfully got thousands of people to respond and explain what a $40 cut to each paycheck would mean to them personally. By Wednesday morning, the #40dollars hashtag started 'trending,' which is what happens when Twitter's algorithms see a topic suddenly surge. It's not easy to create that kind of surge, but the White House has 2.5 million Twitter followers to call upon. Macon Phillips, the President's Director of Digital Strategy, says his team has managed to get a few Twitter topics to rise to the level of 'trending' before — most notably when they began tweeting about the death of Osama bin Laden. 'What's very important about a social-media campaign like this is that regular people are making the point about how this would affect them. It's not us here in Washington trying to argue on their behalf.' says Phillips. 'The #40dollars campaign puts a face on that amount to demonstrate the payroll tax cut's real-world impact on middle-class families.'"

(Related) Can Facebook predict the nominees/winners?
Ron Paul Is The Second Most Popular Republican Candidate On Facebook (And He’s Gaining)
Paul currently has 655,000 fans, half of Romney’s 1.23 million, and a fraction of Obama’s 24.3 million, but he’s well ahead of third-place primary candidate Michele Bachmann. Meanwhile, Newt Gingrich, who has appeared at many points in recent weeks to be Romney’s main Republican challenger, has had pretty minimal growth.


Very interesting idea. Will this catch on?
Volkswagen Blocks BlackBerry Use When Most People Use BlackBerries
The company has worked out a deal with unionized workers at its German sites to throttle their post-work BlackBerry use. VW is going to turn off messaging for these workers a half-hour after the workday ends, and flip the switch back on a half-hour before the next workday starts.
… The idea is to keep employees from feeling chained to their smartphones, and to send a message to bosses that it’s not reasonable to expect employees to be reachable at night, according to the Allgemeine Zeitung.


The article seems to suggest that technology was not the only or even the main driver of the choice – imagine that!
Berkeley Explains Why Google Trumps Microsoft
… Berkeley plumped for Gmail and Google Calendar in part because they’re cheap — Google offers its Apps to schools and colleges for free — but the university looked at far more than just price. This week, it laid out a detailed comparison of Google and Microsoft on its public website.


Useful when collaborating on documents?
Mergely is a useful online tool which can helps users merge text documents and highlight changes made to existing documents. To use the service, all you have to do is paste the original document into the left column and enter the edited version in the right hand corner. The changes which are not present in the revised document will be highlighted and shown in the original document.
Once done, you can save the document and the service will generate a share URL which can be used to send the document to any friend or colleague. If you want, you can even upload documents from your PC and compare them in seconds.