Friday, May 06, 2011

For my Computer Security students, who seem amazed at how many laptop thefts have been reported since class started...

CT: Police laptop stolen from cruiser parked at dealership

May 6, 2011 by admin

Elizabeth Dinan reports:

A police department laptop computer containing “a fair amount of records” was stolen from a marked cruiser and an on-board camera was damaged while the cruiser was left at an auto dealership for service, said Chief Jon Tretter.

The theft from and damage to the “brand new” cruiser occurred last week when it was parked overnight at Portsmouth Chevrolet where it was left for work on decorative trim, said Tretter. The police chief said he’s been advised that it’s unlikely anyone could access personal information stored on the stolen laptop because the battery is so old it barely functions without a companion power cord. [That's a new one. Bob]

Right. No one could possibly have a power cord.



Combine Encryption, Anti-Theft Technology to Safeguard Stolen Laptops

According to one study, some 2 million laptops are stolen each year.¹ And researchers at the Ponemon Institute estimate that 12,000 laptops are stolen at airports every week.²

Facts would seem to support rumor in this case.

Did Sony know its security was outdated?

When things go wrong in large institutions, one question that is often asked is: "What did they know and when did they know it?"

In the case of Sony--now confronted not only with two data breaches, but with the threat of a third, more destructive attack--that very question was posed this week in a House of Representatives subcommittee.

The answer given by Gene Spafford, a security expert and professor of computer science at Purdue University, raises troubling thoughts.

In written testimony to the House Subcommittee on Commerce, Manufacturing and Trade, Spafford highlighted recent data breaches at Sony and at Epsilon.

He wrote: "Both companies are large enough that they could have afforded to spend an appropriate amount on security and privacy protections of their data; I have no information about what protections they had in place, although some news reports indicate that Sony was running software that was badly out of date, and had been warned about that risk."

The Consumerist reported that in oral testimony on Wednesday to the subcommittee, Spafford amplified these comments.

He reportedly said Internet forums openly discussed that the Apache Web server software used by Sony was "unpatched and had no firewall installed." He also reportedly said that these concerns were debated in an open forum that was monitored by Sony employees. [and hackers everywhere. Bob]

… However, one more sentence in the response may offer a clue about Sony's previous priorities. The company is planning to create a brand-new position: chief information security officer.

(Related) This seems to be an escalation of coverage for Identity Theft victims. On the other hand, here's another company that has all your Personal Information (or they don't know what to look for...)

Sony CEO Stringer apologizes for PlayStation breach

Sony has made a deal with identity-protection firm Debix to offer a service called AllClear ID Plus for free to U.S. customers registered with PlayStation Network or Qriocity prior to the attack two weeks ago, Sony spokesman Patrick Seybold wrote in a blog post today.

… Stringer emphasized that the identity-theft monitoring program the company is offering customers has a "$1 million identity-theft insurance policy" included. Customers will be able to enroll in the program through an activation e-mail they'll receive "over the next few days." Registration will be open till June 18.

[From the blog:

The details of the program include, but are not limited to:

  • Cyber monitoring and surveillance of the Internet to detect exposure of an AllClear ID Plus customer’s personal information, including monitoring of criminal web sites and data recovered by law enforcement.

  • Priority access to licensed private investigators and identity restoration specialists.

  • A $1 million identity theft insurance policy per user to provide additional protection in the event that an AllClear ID Plus customer becomes a victim of identity theft.

(Related) Having all that Personal Information must be valuable, huh?

Nintendo revises privacy policy

May 6, 2011 by Dissent

Ben Parfitt reports:

As the industry continues to come to terms with the wider implications of the PSN breach, Nintendo has contacted Club Nintendo members about the introduction of a new privacy policy.

As part of it, the company asks permission to gather information from users. Users who don’t check or agree to the new policy will from May 31st be unable to spend any Stars in their personal Stars Catalogue and their membership will be cancelled.

Read more on MCV.

At first I thought I must have misunderstood – would Nintendo really cancel accounts if people declined to share their information? Seems like they will, though. As another site reports, here’s what the email to users said:

Please review our new Privacy Policy by logging into your Club Nintendo account. Once you have read the information displayed upon logging in, please use the appropriate buttons to either ACCEPT or DECLINE this new Privacy Policy.

Please note that if we haven’t received your answer by 31st May, 2011, or if you choose to DECLINE our new Privacy Policy, you will from that day onwards no longer be able to use your Stars in the Stars Catalogue, as we will be forced to deactivate your Club Nintendo membership. No matter what you decide, you can still use your Stars and enjoy all the other benefits of Club Nintendo membership until 31st May, 2011.

So Nintendo has seemingly implemented an “opt-in or f**k off, bugger!” privacy policy. We’ll see how that works out for them.

A new way to rat out your boss?

Don’t Leak to the Wall Street Journal’s New Wikileaks Knockoff

May 6, 2011 by Dissent

With some fanfare, the Wall Street Journal launched a new whistleblower site, SafeHouse. It didn’t take long for Jake Appelbaum to find the holes in it and if you were on Twitter yesterday, you could see a steady stream of tweets from @ioerror (Appelbaum), pointing out concerns. Adrian Chen writes:

The Wall Street Journal is trying to make a play for whistleblowers with its very own Wikileaks clone, SafeHouse. But SafeHouse is the opposite of safe, thanks to basic security flaws and fine print that lets the Journal rat on leakers.

SafeHouse, which launched today to much fanfare, promises to let leakers “securely share information with the Wall Street Journal,” by uploading documents directly to its servers, just like Wikileaks! But unlike Wikileaks, SafeHouse includes a doozy of a caveat in its Terms of Use:

Read more on Gawker.

We have the tools for ubiquitous surveillance.

May 05, 2011

The Deciders: Facebook, Google, and the Future of Privacy and Free Speech

The Deciders: Facebook, Google, and the Future of Privacy and Free Speech, Jeffrey Rosen

  • "Open Planet [24/7 ubiquitous surveillance system] is not a technological fantasy. Most of the architecture for implementing it already exists, and it would be a simple enough task for Facebook or Google, if the companies chose, to get the system up and running: face recognition is already plausible, storage is increasing exponentially; and the only limitation is the coverage and scope of the existing cameras, which are growing by the day. Indeed, at a legal Futures Conference at Stanford in 2007, Andrew McLaughlin, then the head of public policy at Google, said he expected Google to get requests to put linked surveillance networks live and online within the decade. How, he, asked the audience of scholars and technologists, should Google respond?"

Will it be possible for citizens to decide to stop using the cards? How would any government react to a “Privacy Spring?”

Cn: Party magazine touts new blanket ID card

May 6, 2011 by Dissent

Zhang Han reports:

China is working on creating a more comprehensive national identity card and database for mainland citizens to improve the efficiency of maintaining social order, a Communist Party-run magazine has reported.

It was time for systematic “perfection of citizen identification registration and management,” wrote Zhou Yongkang, a member of the Standing Committee of the Political Bureau of the Central Committee of the Communist Party of China (CPC) in the latest issue of Qiushi, a biweekly official journal of the CPC Central Committee.


It had become urgent to establish a system to identify a citizen solely by a single identity card, Zhou argued, including information such as social security, family planning status, housing status, education, taxation, commercial and other financial information.

Related departments should deploy the identification card system to establish a national database, “to better manage and serve the country’s citizens,” Zhou wrote.

Read more on Global Times.

An interesting legal question. Perhaps there are limits to Copyright?

Feds Demand Firefox Remove Add-On That Redirects Seized Domains

The Department of Homeland Security has requested that Mozilla, the maker of the Firefox browser, remove an add-on that allows web surfers to access websites whose domain names were seized by the government for copyright infringement, Mozilla’s lawyer said Thursday.

But Mozilla did not remove the MafiaaFire add-on, and instead has demanded the government explain why it should. Two weeks have passed, and the government has not responded to Mozilla’s questions, including whether the government considers the add-on unlawful and whether Mozilla is “legally obligated” to remove it. The DHS has also not provided the organization with a court order requiring its removal, the lawyer said.

… The add-on in question redirects traffic from seized domains to other domains outside the United States’ reach. Since last year, the U.S. government has seized at least 120 domains in an antipiracy assault known as “Operation in Our Sites.” The domains are taken under the same federal statute used to seize drug houses.

For my Computer Forensics students... Worthy of a careful read...

Bin Laden's computers will test U.S. forensics

For the U.S. government, the raid on Osama bin Laden's compound in Pakistan represents a unique opportunity to test advanced computer forensics techniques called "media exploitation" that it's developed over the last few years.

The military's acronym for the process is DOMEX, which one Army team in Iraq cheekily sums up with this motto: "You check their pulse, we'll check their pockets."

The electronic gear hauled away by an assault team of Navy SEALs reportedly included five computers, 10 hard drives, and scores of removable media including USB sticks and DVDs. Some reports say the forensic analysis is taking place at the CIA's headquarters in Langley, Va., while others have placed it at a "secret location in Afghanistan." (See list of related CNET stories.)

While the U.S. government isn't exactly volunteering what's happening now, the Army has confirmed in the past that it provides "tactical DOMEX teams" to troops in Afghanistan. And a Defense Department directive (PDF) from January 2011 says the National Media Exploitation Center, or NMEC, will be the "central DoD clearinghouse for processing DoD-collected documents and media," a category that would include the bin Laden files.

… The NMEC support job, which requires a Top Secret security clearance, calls for "complete training in EnCase Forensic Software up through the EnCase Advanced training course or equivalent." A bachelor's degree in computer engineering is preferred. So is proficiency in "creating databases in MS Access and SQL."

[Wikipedia entry:

Is you innocent or is you ain't?

May 05, 2011

New on - The Age of Innocence: Actual, Legal and Presumed

Via - The Age of Innocence: Actual, Legal and Presumed: Ken Strutin reasons that any accounting of the justice system would put the presumption of innocence at the top of the ledger. The premise underlying this evidentiary rule is that no one should be found guilty of a crime unless the state has convinced a jury with proof beyond a reasonable doubt. The materials Ken has researched and documented for this guide focus on the drift from unitary innocence, which encompasses all possible claims to a wrongful conviction, to factual innocence rooted in exoneration jurisprudence. According to some scholars, factual exonerations may have confounded the wisdom behind the Blackstone Ratio and its overarching message, i.e., criminal law and procedure ought to be weighted in favor of innocence to avoid wrongful conviction, even if there is a chance that the guilty will benefit as well. In other words, a system of justice that is fair to all and seeks to protect the innocent from wrongful prosecutions must apply safeguards that will be over inclusive. The calculations of truth and fairness are rooted in a system of justice based on due process (or a presumption of due process). The scholarship collected here attempts to address questions of whether the concept of innocence is selective or categorical.

What is the purpose? If it's just raising money, then “per mile” is sufficient. If it is to “encourage us to 'go green' then an MPG factor and a 'rush hour' surcharge will be added. Of course, states (counties, cities, school districts, etc.) will want to pile on. Sounds like a real boondoggle...

Draft Proposal Would Create Agency To Tax Cars By the Mile

"The Hill reports that the Obama administration has floated a transportation authorization bill that would require the study and implementation of a plan to tax automobile drivers based on how many miles they drive. The plan is a part of the administration's 'Transportation Opportunities Act,' and calls for spending $200 million to implement a new Surface Transportation Revenue Alternatives Office tasked with creating a 'study framework that defines the functionality of a mileage-based user fee system and other systems.' The office would be required to consider four factors — the capability of states to enforce payment, the reliability of technology, administrative costs, and 'user acceptance' — in field trials slated to begin within four years at unspecified sites. Forbes suggests the so-called vehicle miles traveled (VMT) tax should be called the Rube Goldberg Gas Tax, because while its objective is the same as the gas tax, the way it collects revenue is extremely complex, costly and cumbersome."

The disclaimers are thick on the ground, though; note, this is an "early draft," not pending legislation.

For my Geeks... (and a problem for my Computer Security students)

Canadian Researchers Create Thin-Film Flexible Paperphone

"Researchers from the Human Media Lab at Canada's Queen's University have created a fully-functioning floppy E-Ink smartphone, which they also refer to as a paper computer. Like its thicker, rigid-bodied counterparts, the Paperphone can do things like making and receiving calls, storing e-books, and playing music. Unlike them, however, it conforms to the shape of its user's pocket or purse, and can even be operated through bending actions."

[From the article:

When not actually being operated, the Paperphone consumes no electricity. Vertegaal's team have also created a similar device, the Snaplet, which can be worn like a wristband. It operates as a watch when in a convex state, becomes a PDA when flat, and can be used as a phone when turned concave.

(Related) Small (and cheap) is good! ...sometimes.

A $25 PC On a USB Stick

"[Game developer David] Braben has developed a tiny USB stick PC that has an HDMI port on one end and a USB port on the other. You plug it into an HDMI socket and then connect a keyboard via the USB port, giving you a fully functioning machine running a version of Linux. The cost? $25. The hardware being offered is no slouch either. It uses a 700MHz ARM11 processor coupled with 128MB of RAM and runs OpenGL ES 2.0, allowing for decent graphics performance with 1080p output confirmed. … We can expect it to run a range of Linux distributions, but it looks like Ubuntu may be the distro it ships with. That means it will handle web browsing, run office applications, and give the user a fully functional computer to play with as soon as it's plugged in. All that and it can be carried in your pocket or on a key chain."

Perspective. Apparently, having immediate access to a global market is good for business...

Commentary: Grouponomics of the Deal

18 months ago, Groupon didn’t exist. Today, it has over 70 million users in 500-odd markets, is making more than a billion dollars a year, has dozens if not hundreds of copycat rivals, and is said to be worth as much as $25 billion.

But first it’s worth looking at the innovation in the name of the company: the idea that coupons only become activated once a certain minimum number of people have signed up for them. This is essentially a guarantee for the merchant that the needle will be moved, that their effort won’t be wasted. With traditional advertising or even with old-fashioned coupons, a merchant never has any guarantee that they will be noticed or make any difference.

But with a Groupon, you know that hundreds of people will be so enticed by your offer that they’re willing to pay real money to access it. That kind of guaranteed engagement is hugely valuable, and more or less unprecedented in the world of marketing and advertising.

No comments: