Saturday, November 12, 2011


I feel a rant coming on...
Virginia Commonwealth University alerts 176,567 faculty, staff, students and affiliates to hacking incident
November 11, 2011 by admin
A notice was posted today on Virginia Commonwealth University’s web site:
To the VCU and VCU Health System communities:
A security incident has resulted in unauthorized access to a Virginia Commonwealth University computer server containing files with personal information on current and former VCU and VCU Health System faculty, staff, students and affiliates. We believe the likelihood is very low that any personal data on the individuals in the files was compromised, but it is impossible to be completely certain, [because we don't bother to record what happens on our servers? Bob] so we are notifying all involved via email and first-class mail.
On October 24, routine monitoring of servers supporting a VCU system uncovered suspicious files on one of the devices. The server was taken offline and a forensic investigation was launched [to see if we could figure out what the missing logs would have told us instantly Bob] to identify what unauthorized activities had taken place and the vulnerabilities that led to the compromise. The vulnerabilities have been corrected, and it has been determined that this server contained no personal data.
Five days later, VCU’s continuing investigation revealed two unauthorized accounts had been created on a second server, which also was taken offline. Subsequent analysis showed the intruders had compromised this device through the first server. [Apparently the “forensic examination' did not discover this... Bob] The intruders were on the server a short period of time and appeared to do nothing other than create the two accounts.
Files on this second server contained data on 176,567 individuals. Data items included either a name or eID, Social Security Number and, in some cases, date of birth, contact information, and various programmatic or departmental information.
Our investigation was unable to determine with 100 percent certainty that the intruders did not access or copy the files in question. [...since there was no log. Bob] We believe the likelihood that they did is very low. However, because this data was potentially exposed, we are proactively informing of this event and subsequent actions affected individuals can take to monitor personal information.
… VCU continues its investigation and is working with local and federal law enforcement agencies.
… VCU is reviewing its information technology security measures and procedures and will make improvements to prevent this type of incident from happening again. [But we still won't bother with logs... Bob]
It’s a good description but I wish they wouldn’t rush to minimize risk. The fact is, as they say, that they don’t know. Under such circumstances, why not just tell people what you do know and let them form their own assessment of their risk so they can decide what to do, if anything?
Previous breaches involving VCU can be viewed on DataLossDB.org.
[Gibberish from the CBS6 article:
The hackers infected one of the servers with some type of virus that allowed the, to download 16 minutes worth [It's not a TV show.. Bob] of confidential information including name or id, date of birth, and even social security numbers.
"We can't be 100 percent certain that these files were not acessed," said VCU Chief Information Officer Mark Willis. "But we were able to attract [Track? Bob] the activities of the intruders very well. So, we know what they were up to, what they were doing."
Willis believes the information that could have been compromised goes back as far as to 2005. [and this was needed online, why? Bob]


What other facts are not correct?
The Twitter Wikileaks case: how an outdated law makes a researcher’s impressive analysis somewhat irrelevant
November 12, 2011 by Dissent
Over on Slight Paranoia, privacy and security researcher Chris Soghoian does a brilliant job of delving into a section of the recent opinion in the Twitter Wikileaks case.
In the opinion issued this week, Judge O’Grady addressed the issue of whether three people associated with Wikileaks had any reasonable expectation of privacy in their IP addresses. In a nutshell, after reviewing Twitter’s privacy policy and the “I agree” button that they had to click to obtain their Twitter accounts, the judge decided that they had no reasonable expectation of privacy with respect to their IP addresses.
In his blog post, Chris criticizes the judge’s analysis on a few grounds. Importantly, the privacy policy that the judge quoted in explaining his ruling was not the privacy policy that was in place at the time the three users first signed up for their accounts. Big oops, yes. Chris argues that the version in effect at signup would have given the users a reasonable expectation of privacy in their IP addresses – assuming that any of them had even read it. As everyone except the judge seems to recognize, almost no one actually reads privacy policies. [Apparently, lawyers didn't read it either Bob]
Although the judge did cite and analyze the wrong version of the policy, it is not clear that this is the judge’s error as we do not know whether counsel for the three individuals ever submitted the version that was in effect when they signed up. If they didn’t, that is unfortunate, although it wouldn’t have any bearing on the issue of whether people actually read the privacy policy or any updates to it.
Chris writes:
If the judge were to examine the privacy policy that existed when these three targets signed up for a Twitter account, he might decide that they do in fact have a reasonable expectation of privacy and that the government needs a warrant to get the data.
I disagree with Chris on that. Even if the judge had acknowledged that Twitter’s privacy policy at the time of signup created a reasonable expectation of privacy, the court could still simply point out that a company’s privacy policy cannot trump a 2703(d) order. Application for a 2703(d) order does not involve demonstrating that the target had no reasonable expectation of privacy. It only requires that “the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation….”
Not only does a privacy policy does not exempt the provider from complying with an order under existing law, but the judge also cites Third Party Doctrine: (Order at p. 28) (Order at p. 30)
Game over. And I don’t blame the judge who is just applying existing law. The problem is with existing laws that desperately need updating.
ECPA needs to be updated so that a warrant is required to obtain users’ data from online providers. And we need to throw out outdated Third Party Doctrine and recognize that users have and are entitled to have a reasonable expectation of privacy for much of their online activities.
The Twitter Wikileaks case also reminds us – as if we needed more proof – that businesses that collect and retain data for months or years increase the risk to our privacy.
Lawyers for the three individuals have not yet announced any decision as to whether to appeal Judge Liam’s ruling. Frankly, I don’t think they can prevail. Not because they’re wrong, but because the law is wrong. And Congress needs to fix that.


Another outdated set of laws? An interesting take on why pirating continues...
How litigation only spurred on P2P file sharing
Do you remember back in 2001 when Napster shut down its servers? US courts found Napster Inc was likely to be liable for the copyright infringements of its users. Many of Napster's successors were also shut down.
Aimster and its controversial CEO were forced into bankruptcy, the highest court in the US strongly suggested that those behind Grokster and Morpheus ought to be held liable for "inducing" their users to infringe, and Kazaa's owners were held liable for authorisation by our own Federal Court. Countless others fled the market in the wake of these decisions with some, like the formerly defiant owners of Bearshare and eDonkey, paying big settlements on the way out.
By most measures, this sounds like an emphatic victory for content owners. But a funny thing happened in the wake of all of these injunctions, shutdowns and settlements: the number of P2P file sharing apps available in the market exploded.
… I would argue pre-P2P era law was based on a number of "physical world" assumptions. That makes sense, since it evolved almost exclusively with reference to physical world scenarios and technologies. However, as it turns out, there is often a gap between those assumptions and the realities of P2P software development.
Four such physical world assumptions are particularly notable in explaining this phenomenon.
The first is that everybody is bound by physical world rules.
that it is expensive to create distribution technologies that are capable of vast amounts of infringement.
that distribution technologies are developed for profit.
that rational developers of distribution technologies won't share their secrets with consumers or competitors.
Dr Rebecca Giblin is a member of Monash University's law faculty in Melbourne. Her new book Code Wars tells the story of the decade-long struggle between content owners and P2P software providers, tracing the development of the fledgling technologies, the attempts to crush them through litigation and legislation, and the remarkable ways in which they evolved as their programmers sought ever more ingenious means to remain one step ahead of the law.
… Visit codewarsbook.com where you can read the first chapter in full. Physical copies can be ordered online from stores like Amazon and Book Depository, and electronic copies are available via Google books at a heavily discounted price. [What? No P2P sharing? Bob]

(Related) How to alienate just about everyone...
"In a court case between Hotfile.com and Hollywood studios, Warner Brothers admitted they sent takedown orders for thousands of files they didn't own or control. Using an automated takedown tool provided by Hotfile, Warner Brothers used automated software crawlers based on keywords to generate legal takedown orders. This is akin to not holding the Post Office liable for what people mail, or the phone companies liable for what people say. But the flip side is that hosters must remove files when receiving a legal takedown notice from the copyright holder — even when the copyright holders themselves don't know what material they actually own."


In contrast to those who fight consumers to control content, these people make money by giving content away.
"Cryptic Studios, the developer of the Star Trek Online MMO, announced that they are switching to a Free-to-Play model on January 17th. Free subscribers to the game will be able to play, but will not get the same benefits as paying subscribers still get. Free accounts will be Silver, while paid accounts will be called Gold. Silver accounts will be able to pay for features that Gold members will get as part of their paid subscription. These features include but are not limited to respecs and extra character slots."
EverQuest II is jumping on the free-to-play bandwagon as well.


Who pushes technology adoption?
"Britain's biggest ISPs are struggling to convince customers to upgrade to superfast broadband. Of the six million customers who can get fiber broadband from BT, Britain's biggest ISP, only 300,000 have done so — a conversion rate of only 5%. Only 2.3% of Virgin Media customers, meanwhile, have upgraded to 50Mbits/sec or 100Mbits/sec connections. The chief of Ofcom, Britain's telecoms regulator, admits that take-up is 'still low' and says only families with teenage children are bothering to upgrade to fiber."


Perspective
People Now Watch Videos Nearly 30 Percent Longer On Tablets Than Desktops
It may come as no surprise, but Americans are watching more and more online video. In fact, they’re practically jonesin’ for it. According to comScore’s numbers, 182 million Americans watched online video content in September (for an average of 19.5 hours per viewer), while the U.S. video audience tallied a total of 39.8 billion video views. But what may be a bit more surprising is the extent to which people are now watching their video on tablets.
Ooyala, the provider of online video technology and services just released its first quarterly review, which you can find here.


For my Ethical Hackers (don't forget my finder's fee)
"There's a thriving trade in zero-day vulnerabilities, predicated on keeping knowledge of these vulnerabilities out of the public domain. For security researchers with knowledge of a bug that's not worth much, or for researchers who question the ethics of selling any bug information, there are alternatives. Vulnerability information service Secunia launched its Secunia Vulnerability Coordination Reward Program, which formalizes what Secunia says it's been doing informally for some time: It acts as a go-between for security researchers that have discovered a vulnerability in a product, and the vendor of that product. Do such practices jeopardize security for the many, while safeguarding just the few? It's still unclear whether Stuxnet's authors discovered the zero-day vulnerabilities themselves, procured them from a legal market, or bought them on the black market. If you're going to cash in, you face some tough ethical questions."


I want one. Is it too early to send Santa a Tweet?
"Designer Chris Hoffmann developed the Ryno, a heavy duty electric unicycle with a top speed of 25 mph, a range of up to 30 miles and an impressive 25-inch thick tire. The cost for a pre-production Ryno is a whopping $25,000, and Hoffmann already has five orders, but he expects the market model to cost about $3,500."


A whole bunch of interesting stuff...
...Idaho will become the first state to mandate that all high school students take at least 2 credits online in order to graduate. The move has been very controversial, with the Idaho Education Association blasting the Board of Education’s decision.
...The Department of Education and the Department of Defense launched the Learning Registry this week. The site is a joint effort between the two departments, the White House and numerous other federal agencies. The Learning Registry is meant to serve as an online clearinghouse of sorts for educational content. (That content includes information from various publishers and organizations, including the National Archives, the Smithsonian, PBS Learning Media, and OER Commons.) But it’s not a portal or a website that educators will visit per se. Rather it’s both an open technology platform that will allow for the exchange of data about learning resources (metadata, ratings, reviews, and so on), their usage, their standards alignment, and so on. The aim of the Learning Registry is to help remove some of the silos for educational resources.
...Codecademy added a new course to its learn-to-program website: jQuery. The startup also added a “scratchpad,” an “in-browser JavaScript editor that allows you to play around with what you’ve learned.”
...The University of Texas at Austin announced this week that it plans to give its 450,000 alumni lifetime access to their @utexas.edu email accounts. The university switched to Google Apps for Education last year.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)