Saturday, January 22, 2011

Phil, when the TSA guys say “Papers, Citizen” just like the Gestapo in those old movies, you have to expect them to react just like the Gestapo when you refuse – law or no law. Or maybe this isn't they “Official” response to you refusal – maybe you just irritated one TSA agent who responded irrationally but will be fully supported because otherwise they have to admit to putting poorly trained, irritable agents in contact with the public.

Seattle man on trial for refusing to show ID to TSA agents

January 21, 2011 by Dissent

Lindsay Cohen & KOMO Staff report:

In November 2009, Phil Mocek was scheduled to board a Seattle-bound plane in Albuquerque, New Mexico.

Instead, he wound up in a jail cell, headed for a fight that could prove historic.

The Seattle man refused to show TSA officers his ID with his boarding pass, and argued he has a right not to show it.

There is no law requiring that passengers show their ID at checkpoints; however, passengers who refuse to show their ID are subject to additional security screenings.

After he refused many times to show his ID, officers asked him to leave. But instead of leaving, Mocek began taking photos and video of TSA officers against their warnings.

Read more on KOMO News.

For my Computer Security students.

Compromised Government and Military Sites For Sale

"Imperva blogged today about the sale of compromised .gov, .mil, and .edu sites, illustrating that cyber-criminals are getting bolder. Krebs on Security has an unredacted view of the site list. Perhaps the biggest threat is yet to come; if an industrious criminal can break into top government and military sites, so too can government-backed teams, proving that GhostNet and Stuxnet are just the beginning."

For all my IT students

How CD/DVD/Blu-Ray Copy Protection Software Works [Technology Explained]

Continuing their North Korea inspired attempts to get their own way (Yell loud and often until the other side caves in...) The objection I see here is a change from “Potential Damage” to “Potential Material Damage” – are they concerned they can't prove that?

RIAA Threatens ICANN Over Music-Themed gTLD Standards

"A letter to ICANN (PDF) from Victoria Sheckler, Deputy General Counsel for the RIAA, demands modifications to the future implementation of the .music gTLD, threatening to 'escalate the issue' if certain concerns about 'wide scale copyright and trademark infringement' are not addressed by ICANN in compliance with the RIAA. 'Under the current proposed standard, we fear that we will have no realistic ability to object if a pirate chooses to hijack a music themed gTLD to enable wide scale copyright infringement of our works,' Sheckler said."

I may use this to explain my new classroom Cell Phone policy...

Friday, January 21, 2011

This is typical. Most holders of data do not know where all of it resides. Some don't know where any of it resides. At least the article states that (some of) the files were encrypted.

UK: Police apologize over data loss incidents but need crystal ball at this point

January 21, 2011 by admin

This is somewhat painful to read. Maybe Jack Nicholson’s available to do a movie we could call, “As Bad as It Gets?” James Burke reports:

Police in Gloucestershire have admitted to a data loss incident involving confidential details, although the force also confesses it has no idea what information was lost.

An investigation by the Echo found that USB security, laptops and 999 call recordings have been compromised in the last three years, This Is Gloucestershire reports.

However, the force’s Information Security Register has no details about how or where the incidents occurred.

More on Cryptzone.


UK: Organ donation preferences of over 400,000 people recorded inaccurately

By Dissent, January 21, 2011

From the Information Commissioner’s Office:

The organ donation preferences of 444,031 people were recorded inaccurately on the Organ Donation Register (ODR) due to a software error, [Sure, blame the computer. Aren't managers supposed to make sure the computer works correctly? Bob] the Information Commissioner’s Office (ICO) said today.

In March 2010 NHS Blood and Transplant (NHSBT), who manage the Register, discovered irregularities between the organ donation information stated on Driver and Vehicle Licensing Agency (DVLA) application forms and the information recorded on the ODR. Further investigation revealed that an ODR software error dating back to 1999 had affected the recording of specific organ preferences from the DVLA.

Whilst the vast majority of the data remained accurate, it was discovered that the details of over 400,000 people required correcting, while a number of other patients had to be contacted directly in order to ensure that their original preferences remained intact.

Mick Gorrill, Head of Enforcement, said:

I welcome the NHSBT’s commitment to correcting the inaccurate data and their willingness to make sure this type of incident does not happen again by introducing a variety of new security measures.” [Not “security,” “Management!” Bob]

Alan McDermott, Senior Information Risk Officer at the NHSBT, has signed an undertaking which commits the organisation to being more robust in checking information is accurate. This includes systematic sampling and checking of data for accuracy against source documents, routine cross-referencing, as well as making sure all forms for the collection of data are uniform.

Kind of a strange story. If it is Wikileaks, this is a major escalation. Who else might want to track Iceland's parliament?

Espionage In Icelandic Parliament

"An unauthorised computer, apparently running encrypted software, was found hidden inside an unoccupied office in the Icelandic Parliament, Althingi, connected to the internal network. According to the Reykjavik Grapevine article, serial numbers had been removed and no fingerprints were found. The office had been used by substitute MPs from the Independence Party and The Movement, the Parliamentary group of Birgitta Jonsdottir, whose Twiiter account was recently subpoenaed by US authorities. The Icelandic daily Morgunbladid, under the editorship of Mr David Oddsson, former Prime Minister and Central Bank chief, has suggested that this might be an operation run by Wikileaks. The reporter for the Reykjavik Grapevine, Mr Paul Nikolov is a former substitute MP, having taken seat in Parliament in 2007 and 2008."

The PDF is huge. To make the text readable, you would need to print a wall sized copy. Grab the spreadsheet, where you can hide rows or columns to make reading this easier...

Social Media and Law Enforcement: Who Gets What Data and When?

January 21, 2011 by Dissent

Jennifer Lynch of EFF writes:

This month, we were reminded how important it is that social media companies do what they can to protect the sensitive data they hold from the prying eyes of the government. As many news outlets have reported, the US Department of Justice recently obtained a court order for records from Twitter on several of its users related to the WikiLeaks disclosures. Instead of just turning over this information, Twitter “beta-tested a spine” and notified its users of the court order, thus giving them the opportunity to challenge it in court.

We have been investigating how the government seeks information from social networking sites such as Twitter and how the sites respond to these requests in our ongoing social networking Freedom of Information Act (FOIA) request, filed with the help of UC Berkeley’s Samuelson Law, Technology & Public Policy Clinic. As part of our request to the Department of Justice and other federal agencies, we asked for copies of the guides the sites themselves send out to law enforcement explaining how agents can obtain information about a site’s users and what kinds of information are available. The information we got back enabled us to make an unprecedented comparison of these critical documents, as most of the information was not available publicly before now.

Read more and see the comparison spreadsheet ((in .xls and .pdf) on EFF.

Schools are increasingly a world unto themselves...

Friday, January 21, 2011

Fines for Disruptive Behavior - A Discussion Prompt

Today's episode of CNN Student News ends [at about 7:50 Bob] with a quick story about some schools in Texas issuing fines of up to 500 dollars for poor conduct in school. As you might guess, some parents and students are not happy about this at all. The video is embedded below.

Cloning, hacker style...

How To Move A Full Operating System From An Old PC To A New One

Keeping up with the language...

Jargon Watch: Quote Stuffing, Bombiles, Privacy Zuckering

Privacy Zuckering v.

Creating intentionally confusing privacy policies —à la Mark Zuckerberg—to sucker users of social networking sites like Facebook into exposing valuable personal information.

Until comes out with “All the World's Hacking Tools” we get this information piecemeal... I wonder if it includes Stuxnet?

New Navy Jammer Could Invade Networks, Nuke Sites

When China’s stealth-fighter prototype took to the air two weeks ago, it intensified what was already a heated debate in Washington over which, and how many, new fighter planes to buy.

Lost in all this noise was the U.S. Navy’s real plan for winning any future air war with China or another big baddie. Rather than going toe-to-toe with J-20s and other enemy jets, the Navy is planning to attack its rivals where they’re most vulnerable: in the electromagnetic spectrum.

The frontline weapon for this electronic war is a new airborne jamming system currently in development. The Next Generation Jammer should allow the Navy to blind the enemy’s radars, disrupt its communications and slip malicious code into computer networks.

Technology continues to change...

Deloitte Predictions for the Technology, Media and Telecommunications Sector, 2011

Highlights of the 2011 Technology Predictions:

• More than half of all computers aren’t computers anymore

• Tablets in the enterprise: more than just a toy

• Operating system diversity: no standard emerges on the smartphone or tablet

• Online regulation ratchets up, but cookies live on

TMT Predictions 2011

This is a TED talk on medical imaging. I include it as an illustration of the volumes of data (not just medical data) we can expect in the near future. One cat scan generates the equivalent of 800,000 telephone books. (6 kilometers of books)

Anders Ynnerman: Visualizing the medical data explosion

Humor – a follow-up to an earlier story. Watch the video if you haven't already.

Texting fountain lady's problems bigger than YouTube fame

Thursday, January 20, 2011

For my Computer Security students: “Segregation of duties” is far less likely in a small business.

Hackers Respond To Help Wanted Ads With Malware

"The FBI issued a warning Wednesday about a new twist on a long-running computer fraud technique, known as Automated Clearing House fraud. With ACH fraud, criminals install malware on a small business' computer and use it to log into the company's online bank account. In this latest twist on the scam, the criminals are apparently looking for companies that are hiring online and then sending malicious software programs that are doctored to look like job applications. One unnamed company recently lost $150,000 in this way, according to the FBI's Internet Crime Complaint Center. 'The malware was embedded in an e-mail response to a job posting the business placed on an employment website,' the FBI said in a press release. The malware, a variant of the Bredolab Trojan, 'allowed the attacker to obtain the online banking credentials of the person who was authorized to conduct financial transactions within the company.'"

Is “suspected theft” a polite (i.e. politically correct) way to say “theft” or do they mean they could have lost the 7 million, but they think it was stolen? Easy way to find out. Ask Al Gore if he got his commission.

EU locks carbon market after security breach

LONDON/BRUSSELS--The European Union locked all accounts in its carbon market today, after a security breach, seeking to protect the battered reputation of the EU's main weapon against climate change.

… The European Commission suspended much of its Emissions Trading Scheme, the hub of a 92-billion-euro ($124 billion) global market, following the suspected theft of about 7 million euros of emissions permits from the Czech Republic's carbon registry.

This theft and a hacking attack on the Austrian registry on January 10 follows a raft of scandals to hit the market in the past two years, including VAT fraud, a phishing scam, and the resale of used carbon credits.

For my Computer Security students. What security was missing and what manager was responsible.

Nurse Fired for Snooping in Tiger Woods’ Records Files Defamation Suit

By Dissent, January 20, 2011

David Rothenberg was the charge nurse on duty at Health Central Hospital in Ocoee on Nov. 27, 2009, as paramedics wheeled in Tiger Woods. The golfer had just crashed his Cadillac Escalade into a tree and fire hydrant outside his Isleworth home.

According to Rothenberg, within hours of Woods’s arrival, someone inside the hospital improperly gained access to the patient’s confidential medical records using the nurse’s computer login and password.

“They said it had something to do with Tiger Woods’ lab results and my name was on there,” said Rothenberg. “I’ll be honest with you, I was scared. And I said, ‘I have no idea what you’re talking about.’”

In a defamation lawsuit filed this week against Health Central, the nurse claims he signed on to the hospital computer system and then walked away to tend to some other business.

“I minimized my screen, a common practice at the hospital,” said Rothenberg.

Rothenberg claims someone else must have approached his terminal, and within 10 minutes typed in “Tiger Woods,” as well as “Ronald Williams” and “Ernest Smith,” which the nurse has been told are aliases for the golfer.

Read more on (via @LawandLit)

This case is worth noting for several reasons:

1. The hospital detected – but did not prevent – unauthorized access to patient records.
2. An employee was disciplined for snooping in patient records.
3. The employee may not have snooped (if his story is true), but by taking shortcuts such as minimizing the window instead of logging out, may have contributed to his own grief.
4. There is no indication as to whether the hospital’s security controls automatically time users out after a certain amount of inactivity. If the nurse’s report is accurate, the system also does not automatically log people out when a window is minimized.

Oh for shame. You did something naughty, now you have to pay me... (Not a very well written article, but you get the idea...)


It has been brought to your regional BBB’s attention via the Central and Eastern KY BBB that there is a Wikileaks automated phone scam circulating.

A caller reported she received an automated phone call telling her that her computer and IP address had been noted as having visited the Wikileaks site, and that there were grave consequences for this, including a $250,000 or $25,000 fine, perhaps imprisonment. It left an option for leaving a message as to how she was going to handle this and the fine payment. She figured it was a scam, and did nothing but hang up. It gave a number on caller ID of 852-604-4799. Reverse searches on the Internet don’t bring up anything but a couple subjective chat boards where people report similar calls.

Social Security numbers were never intended to be used as identification numbers, but “everyone does it.” Shouldn't someone have noticed long before now?

Ingenix discovers it may have been exposing health service providers’ SSNs for up to 5 years

January 19, 2011 by admin

This is one of those breaches where I really don’t blame the company, which in this case is Minnesota-based Ingenix.

Ingenix provides web-based lookups so that patients can find providers in their area covered by their health plan. The provider data Ingenix uses is provided by the health plans or preferred provider plans themselves.

Ingenix recently discovered that in some cases, the health plans or preferred providers had used the providers’ Social Security Numbers as provider identification numbers. Thus, when someone looked up that provider through Ingenix’s search tool, the provider’s SSN was exposed, even though it was not identified as a Social Security Number and may not have been readily apparent as such. In some cases, providers’ SSN may have been available for five years.

Ingenix reported the issue to the New Hampshire Attorney General’s Office on January 6. Their notification letter indicates that they have offered 142 providers in New Hampshire free credit monitoring and credit restoration services. The total number of providers notified was not mentioned in the notification.

Providers can enroll for protection through a web site set up for them by ID Experts at

Interesting “business plan” If I didn't know better, I'd think the NSA was behind this company... - Record Phone Conversations

As the title of the review puts it, this is a new application that will let you record phone conversations. This can be done without having to get any additional hardware, and the fact the whole application is web-based means that you are not required to download and install anything either.

All you have to do is to dial 877-395-3442 from your phone and follow the provided instructions for the next call that you make to be recorded. You will then be provided with a session code that you can use to retrieve the call.

This service is provided at no cost, and the basic functionality at play (that of recording phone conversations) will always remain like that. Some premium features might be implemented later on, but the recording of phone calls will remain unchanged.

And just in case you are wondering, all the recorded phone calls are stored on Twilio, IE a secure server. You should not worry about the safety and privacy of what you record being compromised at all. [I'm taking bet here... Bob]

Sufficient? Has potential in any case...

Pennsylvania Court Specifies Test for Unmasking Anonymous Online Speakers

January 19, 2011 by Dissent

Ryan Mrazik writes:

Last week, the Superior Court of Pennsylvania vacated a trial court’s order directing the disclosure of the identities of six John Does who allegedly posted defamatory remarks on the internet and adopted a four-prong modified test for unmasking anonymous online speakers in the future. In Pilchesky v. Gatelli, 2001 Pa. Super. 3, Nos. 38 MDA 2009 and 39 MDA 2009 (Jan. 5. 2001), the appeals court reviewed the standards courts use to evaluate whether the identity of an anonymous online speaker should be disclosed, and concluded that “[t]here are four requirements which must be addressed [and which] are necessary to ensure the proper balance between a speaker’s right to remain anonymous and a defamation plaintiff’s right to seek redress.” These requirements, discussed further below, are

(1) notification of the John Doe defendants,

(2) sufficiency of evidence to establish a prima facie case for all elements of a defamation claim,

(3) an affidavit from the plaintiff asserting that the information is sought in good faith and is necessary to secure relief, and

(4) that the court has expressly balanced the defendant’s First Amendment rights against the strength of the plaintiff’s prima facie case.

Read more on Digestible Law.

Another opportunity lost.

Is There a Right of Informational Privacy? Supreme Court Avoids the Issue in NASA Opinion

January 19, 2011 by Dissent

Debra Cassens Weiss discusses today’s Supreme Court opinion in NASA v. Nelson with a focus on the court’s statements about whether there is a constitutional right to information privacy:

We assume, without deciding, that the Constitution protects a privacy right of the sort” mentioned in two 1977 Supreme Court decisions, Alito wrote. “We hold, however, that the challenged portions of the government’s background check do not violate this right in the present case.”

The decision was 8-0, with a concurrence written by Justice Antonin Scalia and joined by Justice Clarence Thomas, SCOTUSblog reports. The concurrence argued there is no informational right to privacy.

“Like many other desirable things not included in the Constitution, ‘informational privacy’ seems like a good idea.” Scalia wrote. “But it is up to the people to enact those laws, to shape them, and, when they think it appropriate, to repeal them. A federal constitutional right to ‘informational privacy’ does not exist.”

Read more on ABAJournal.

Technology for my Criminal Justice students? Another tool to mount this on the dashboard of police cruisers (next to the license plate readers) and soon they will look like Google Earth cars...

Fingerprints Go the Distance – Are Our Laws Keeping Up?

January 19, 2011 by Dissent

Ian Geldard sent me a link to an article on Technology Review about a fingerprint technology that has the potential to become yet another part of public surveillance. Here are some snippets from the article so you can understand the potential for misuse:

Now a company has developed a prototype of a device that can scan fingerprints from up to two meters away, an approach that could prove especially useful at security checkpoints in places like Iraq and Afghanistan.

The device, called AIRprint, is being developed by Advanced Optical Systems (AOS). It detects fingerprints by shining polarized light onto a person’s hand and analyzing the reflection using two cameras configured to detect different polarizations.

Read the whole article on Technology Review.

As with most technology, this device clearly can be put to good use. But by now, I’ve come to look at technology and ask, “And how is this going to be misused, and with what consequences?”

So… if we have no reasonable expectation of privacy in public spaces, could these devices just record our fingerprints and match them against different databases or even add them to a database? Could law enforcement create a database on wanted criminals’ fingerprints and have these devices scan passersby to determine a match? Some might argue that that might not be a bad thing, but where is the line and our laws ready to deal with this type of possible use of surveillance technology in public spaces?

E-Mail v. Snail Mail

Mail Service Costs Netflix 20x More Than Streaming

"Netflix currently pays up to $1 per DVD mailed round trip, and the company mails about 2 million DVDs per day. By comparison, the company pays 5 cents to stream the same movie. In other words, the company pays 20 times more in postage per movie than it does in bandwidth. Doing some simple math, Netflix is spending some $700 million per year in physical disk postage. Rising content prices are offset by declining postage fees for the company, as more and more users choose the streaming-only option. Furthermore, subscriber revenues will continue to increase as Netflix increases the size of its streaming library."

I need to work this into my Business Classes...

In Graphics: What Is a 401(k) Plan?

Wednesday, January 19, 2011

As always, more questions than answers... Who owned the laptop? Why permit (insist?) the data be taken off-site? What possible processing required ALL the Universities actual data? (Have they never heard of test data?)

Tulane University’s breach report to the NH AG’s Office

January 18, 2011 by admin

As an update to the Tulane University incident where a laptop with W-2 data was stolen from an employee’s car while he was traveling out of town:

Tulane’s notification to the New Hampshire Attorney General’s Office provides some additional details on the incident.

  • The employee had the data on a laptop because he was supposed to work on it over the winter break to prepare the W-2′s.

  • The laptop was in a briefcase stolen from his (then unoccupied) car while he was away.

  • The data were unencrypted.

While the explanation seems like a reasonable explanation as to why the data should have been with the employee over break, it does not provide any adequate explanation of why the data weren’t encrypted and why the employee would just leave a laptop in a car – even in a locked trunk. Haven’t there been enough stolen laptop stories in the news the past few years to make everyone aware of the risks?

Poor reporting or just no real information released? Sounds like a fun one to follow if in fact Rahm Emanuel was a victim.

Two charged over iPad hacking on AT&T network

January 18, 2011 by admin

From Reuters:

U.S. prosecutors have charged two men with stealing and distributing email addresses for about 120,000 users of Apple Inc’s popular iPad.

Investigators accused Daniel Spitler and Andrew Auernheimer of using an “account slurper” [I'm thinking the FBI made this one up or is it so old I've forgotten the term? Bob] to conduct a “brute force” attack over five days last June, to extract data about iPad users who accessed the Internet through AT&T Inc’s 3G network.

Among the possible victims were celebrities, businesses executives and government officials like New York City Mayor Michael Bloomberg, ABC News anchor Diane Sawyer, movie mogul Harvey Weinstein and perhaps then-White House Chief of Staff Rahm Emanuel, prosecutors said.

Read more on Reuters.

[From the article:

Among the possible victims ... then-White House Chief of Staff Rahm Emanuel, prosecutors said.

… According to the complaint, the account slurper randomly guessed at data [More likely, they guessed passwords. Bob] held on AT&T's servers until it could match names with emails.

… After the hacking, it shut off the feature that allowed email addresses to be obtained. [Are they talking about lists of people and their email address or just lists of email addresses? Bob]

(Related) ...and now I'm concerned that “got a boost” should be translated to “first learned about the hack...”

AT&T iPad hackers’ chats were turned in by secret source

January 19, 2011 by admin

Robert McMillan reports:

Rhe government’s case against two men charged with hacking into AT&T’s website to steal e-mail addresses from about 120,000 iPad users got a boost last year when a confidential source handed over 150 pages of chat logs between the two and other members of their hacking group.

Excerpts from the logs, published in the court record, apparently show them talking about the legal risk of their hacking adventures, as well as ways that they could maximize the embarrassment caused by the incident.

Read more on Computerworld.

No real surprise, is it? Another reason why I should not use an employer's computer? Some companies still insist on providing me a “work computer” that is hopelessly out-of-date and has no useful software installed (they even try to block some of that useful hacking stuff!)

Work E-Mail Not Protected by Attorney-Client Privilege, Court Says

E-mails between a client and attorney are no longer considered privileged and confidential if the client writes the messages from a work e-mail account, a California court of appeals has ruled.

So, how do I take advantage of this?

January 18, 2011

Pew Report: The Social Side of the Internet

The Social Side of the Internet - Technology use has become deeply embedded in group life and is affecting the way civic and social groups behave and the way they impact their communities, by Lee Rainie, Kristen Purcell, Aaron Smith, Jan 18, 2011

  • "The internet is now deeply embedded in group and organizational life in America. A new national survey by the Pew Research Center’s Internet & American Life Project has found that 75% of all American adults are active in some kind of voluntary group or organization and internet users are more likely than others to be active: 80% of internet users participate in groups, compared with 56% of non-internet users. Moreover, social media users are even more likely to be active: 82% of social network users and 85% of Twitter users are group participants."

Double secret body scans? Is it really turned off, or is just the “ON” light extinguished?

TSA Now Forcing Opt-Outs To Walk Through Body Scanners?

January 19, 2011 by Dissent

Paul Joseph Watson of writes:

If the experience of a man traveling through Baltimore Washington International Airport last night is anything to go by, the TSA is now forcing people who opt out of the naked body scanner to walk through the machine as part of a psychological ploy to coerce subservience out of other travelers.

Alexander Petersen was passing through security to board a domestic flight to Florida with his wife and three children. After the backscatter x-ray machines were turned on, TSA staff started corralling passengers to go through the naked body scanners. Petersen’s family escaped selection but when he was told to submit to a scan, Peterson declined and opted for the invasive pat down instead.

“They then called for an “opt-out” pat down and still told me I had to go through the machine,” writes Petersen.


Since November, I’ve read a number of anecdotal reports where people who did go through the scanners were still subjected to the invasive pat-downs, even though the body scanners did not sound any alarm or indicate any reason for suspicion. This is somewhat different, though, where the body scanners are reportedly being used as a “punishment” for those who object to them.

I continue to urge Congress to review and revise this horrific situation. No citizen of the U.S. should be required to undergo pat-downs that are aggressive and humiliating without reasonable suspicion. A large segment of this county, if not the majority, has had enough of the costly and privacy-invasive security theater and wants some sanity and respect restored to air travel.

For my Computer Security students

Encrypt Your Smartphone — Or Else

"Modern smartphones contain ever-increasing volumes of our private personal data — from text messages to images to emails — yet many smartphone security features can easily be circumvented by thieves or police officers equipped with off-the-shelf forensics equipment. Worse, thanks to a recent California Supreme Court ruling, police officers may be able to search your smartphone for hours without a warrant if you're arrested for any reason. Ars Technica has an article exploring the legal issues surrounding cell phone searches and explaining how you can safeguard your smartphone from the prying eyes of law enforcement officers."

[From the article:

While the search incident to arrest exception gives police free rein to search and seize mobile phones found on arrestees’ persons, police generally cannot lawfully compel suspects to disclose or enter their mobile phone passwords. That's because the Fifth Amendment's protection against self-incrimination bars the government from compelling an individual to divulge any information or engage in any action considered to be "testimonial"—that is, predicated on potentially incriminating knowledge contained solely within the suspect's mind.

Individuals can be forced to make an incriminating testimonial communication only when there is no possibility that it will be used against them (such as when prosecutors have granted them immunity) or when the incriminating nature of the information sought is a foregone conclusion. (For more on this subject, see this informative article forthcoming in the Iowa Law Review, also by Professor Gershowitz, which explores in great depth the uncharted legal territory surrounding password-protected mobile phones seized incident to arrest.)

… While police cannot force you to disclose your mobile phone password, once they've lawfully taken the phone off your person, they are free to try to crack the password by guessing it or by entering every possible combination (a brute-force attack). If police succeed in gaining access your mobile phone, they may make a copy of all information contained on the device for subsequent examination and analysis. [Or they could copy everything on your phone and brute force it later... Bob]

Didn't Orson Welles admonish us to “release no software before its time?”

Stuxnet Authors Made Key Errors

"There is a growing sentiment among security researchers that the programmers behind the Stuxnet attack may not have been the super-elite cadre of developers that they've been mythologized to be in the media. In fact, some experts say that Stuxnet could well have been far more effective and difficult to detect had the attackers not made a few elementary mistakes."

Another tool for my Ethical Hackers.

Unsecured IP Cameras Accessible To Everyone

"In the last couple of decades, we have become so accustomed to the idea that the public portion of our everyday life is watched and recorded — in stores, on the street, in institutions — that we often don't even notice the cameras anymore. Analog surveillance systems were difficult to hack into by people who lacked the adequate knowledge, but IP cameras — having their own IPs — can be quite easily physically located and their stream watched in real-time by anyone who has a modicum of computer knowledge and knows what to search for on Google."

[From the article:

Camera names and model numbers matched with specific search tags such as “intitle,” “inurl,” “intext,” and many others, can yield links to cameras' remote viewing pages. Search combinations such as “intext:’MOBOTIX M10’ intext:’Open Menu’” and “intitle: ‘Live View / - AXIS 206M’” proved effective for Connor.

And he is not the only one. According to him, there are entire online communities of people interested in finding unsecured IP cameras and in discussing their interest on forums. They have also been known to provide large lists of search strings that work on Google Search and they are there for the taking for all those people who don't know where to start.

… Luckily for all of us who have the need for such a surveillance setup, securing these cameras can be done easily and fast by following instructions in the manual. They - and the DVRs and NVRs - come equipped with onboard security settings that take only a few minutes to configure and effectively lock out anyone who shouldn't have access. Also, a simple step like changing the default username and password can do wonders.

For my Ethical Hackers. We should have one of each in Lab 117...

Attack Toolkits Dominating the Threat Landscape

"The ease-of-use and ability to amass great profits through the use of easily accessible 'attack toolkits' are driving faster proliferation of cyber attacks and expanding the pool of attackers, opening the doors to more criminals who would likely otherwise lack the required technical expertise to succeed in the cybercrime underground. The relative simplicity and effectiveness of attack kits has contributed to their increased use in cybercrime — these kits are now being used in the majority of malicious Internet attacks."

[From the article:

• Popularity and demand has driven up the cost of attack kits. In 2006, WebAttacker, a popular attack toolkit, sold for $15 on the underground economy. In 2010, ZeuS 2.0 was advertised for up to $8,000.

• Of the Web-based threat activity detected by Symantec during the reporting period, 61 percent was attributable to attack kits.

Politicians are idiots. Anyone can use the Internet today – If they choose to... Is this a step toward mandatory Internet use? (Perhaps with built in cameras and microphones?)

UK To Offer PCs For £98, Subsidized Internet Connections

"The UK government wants to offer low-cost computers as part of a 12-month trial during Race Online 2012. The scheme, which aims to reach out to the 9.2 million adults that are not yet online, 4 million of whom are considered socially and economically disadvantaged, aims to 'make the UK the first nation in the world where everyone can use the web.' Prices will start at £98 ($156.01) for a refurbished PC, with subsidized Internet connections available for as little as £9 ($14.33) a month or £18 ($28.65) for three months. The cheap computers will run open-source software (think Linux) and will include a flat-screen monitor, keyboard, mouse, dedicated telephone helpline, delivery, and even a warranty. The cheap Internet packages will use a mobile dongle to help people access the web."

Something for all my Math students...

Wednesday, January 19, 2011

Microsoft Mathematics 4.0 - A Scientific Calculator

Microsoft has released a new scientific calculator that you can download for free (Windows only). Microsoft Mathematics 4.0 is a graphing calculator that plots in 2D and 3D. Of course, the calculator does many other functions such as solving inequalities, converting units of measure, and performing matrix and vector operations.

[From the Microsoft website:

With Microsoft Mathematics, students can learn to solve equations step-by-step

Tuesday, January 18, 2011

I'm not sure we should dismiss the risk out of hand either...

Threat of Cyberwar Is Over-Hyped

"A new OECD report suggests the cyberwar threat is over-hyped. A pair of British researchers have said states are only likely to use cyberattacks against other states when already involved in military action against them, and that sub-state actors such as terrorists and individual hackers can't really do much damage. Dr. Ian Brown said, 'We think that describing things like online fraud and hacktivism as cyberwar is very misleading.'"

[From the article:

Between well-equipped states, like the US, China, UK and so on, certain cyber-weaponry would likely be part of any future war.

But having said that, we think that less capable states and sub-state actors, like terrorist groups and individual hackers, will not be able to have an equivalent damaging effect using cyber attacks.

A very short White Paper talking about Cloud Computing as a tool for handling large collections of data.

Canada Explores New Frontiers In Astroinformatics

"The number of scientific instruments available to astronomy researchers for gathering data has grown significantly in recent years, leading to unprecedented amounts of information that requires vast storage and processing capabilities. Canadian researchers are finding a way around this problem (PDF) with a new solution that combines the best of grid and cloud computing, allowing them to more efficiently reach their research goals."

Perhaps this kind of extortion wouldn't play well in court...

File-sharing Cases – ACS:Law Fails to Appear in Court After Trying to Drop Lawsuits, While France Moves Forward with Warnings

January 17, 2011 by Dissent

enigmax writes:

Today a judge-ordered hearing took place in the Patents Court to decide how to handle all cases filed by ACS:Law against alleged file-sharers. Despite claims by the law firm that they have no fears of going to court, last week all the cases were dropped and today, supported by claims of “an unfortunate family accident”, company owner Andrew Crossley failed to attend the hearing. All this as a new, mysterious and already controversial company appears to front the entire operation. And immediately backs out.

Last month ACS:Law made a messy attempt at achieving default judgments in the Patents County Court against 8 internet connection owners who the company claimed infringed or allowed others to infringe copyright.

Read more on TorrentFreak.

Meanwhile, over in France, Reporters Without Borders (RSF) reports that a second wave of warning letters is going out to alleged file-sharers:

Reporters Without Borders is concerned to see that the French authorities have advanced to the second stage of enforcement of the controversial HADOPI law, under which Internet users suspected of illegal file-sharing could end up having their Internet connection suspended.

After starting to send warning emails on 5 October, the authorities have announced that they are now sending out a second wave of emails accompanied by a certified letter. If violators continue to illegally download copyrighted material, the HADOPI’s Rights Protection Commission (CPD) can then ask a judge to order their Internet Service Provider to disconnect them for a month.

Read more on RSF.

Sort of like a “shrink wrap license?”

Article: The New Price to Play: Are Passive Online Media Users Bound by Terms of Use?

January 17, 2011 by Dissent

The New Price to Play: Are Passive Online Media Users Bound by Terms of Use?
Woodrow Hartzog University of North Carolina at Chapel Hill – School of Journalism and Mass Communication; Stanford University – Center for Internet and Society
Communication Law and Policy, Vol. 15, No. 4, p. 405, 2010


When individuals turn on the television, listen to the radio, or read newspapers, they are not forming contractual relationships. Yet almost without exception, online readers, viewers and listeners are required to enter into “terms of use” contracts. These ubiquitous agreements are generally unfavorable for the user in areas of intellectual property rights and privacy. In addition, the terms often restrict users’ behavior and their ability to litigate any disputes with a Web site. In analyzing the implications of contracts for Web site users, this article examines whether courts have recognized a distinction between online consumers, interactive users, and “passive media users” – online readers, listeners or viewers who engage in little, if any, of the activity traditionally required to form contracts. Case law reveals a frequent de facto exemption from online agreements for passive media users, but not highly interactive users. This exemption could be formally recognized to benefit all parties to a contract.

Source: SSRN. The full article does not seem to be available on their site at this time.

[nor is it on the UNC web site... Bob]

Or is this a way to avoid conflict with the SEC?

Goldman Sachs Says No Facebook Shares For US Investors

"In 2009, Robert Cringely speculated that the day might be coming when Goldman Sachs decides the United States isn't worth dealing with anymore. Crazy, eh? Maybe not. Blaming 'intense media attention,' Goldman Sachs has decided to exclude US investors from a $1.5 billion Facebook offering. In a nicely-timed all-investors-are-not-created-equal MLK Day statement, the US taxpayer bailout beneficiary said, 'Goldman Sachs decided to proceed only with the offer to investors outside the US.... We regret the consequences of this decision, but Goldman Sachs believes this is the most prudent path to take.'"

Visualize a bigger Internet – much bigger...

How Bigger The Internet Would Become By 2020 (Infographic)

Monday, January 17, 2011

In some circumstances I might agree...

January 16, 2011

Comment: Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable Information

McIntyre, Joshua J., The Number is Me: Why Internet Protocol (IP) Addresses Should Be Protected as Personally Identifiable Information (August 15, 2010). DePaul Law Review, Vol. 60, No. 3, 2011.

  • "Although computer logs typically correlate online activity only to Internet Protocol (IP) addresses, those addresses can be used to expose the individuals behind the computers. While various federal statutes protect similar data, such as telephone numbers and mailing addresses, as Personally Identifiable Information, federal privacy law does not sufficiently protect IP addresses. It has become commonplace for litigants to subpoena Internet Service Providers (ISPs) to unmask online speakers, and, because many ISPs have no reason to fight these subpoenas, they readily give up their subscribers’ names, addresses, telephone numbers, and other identifying data without demanding any court oversight or providing any notice to those identified. Left unchecked, such reporting could undermine free speech and the free exchange of ideas by encouraging users to censor their own online conduct. This Comment explores the possibility of protecting the IP address itself as Personally Identifiable Information (PII). It explores the various definitions of PII and the relevant technical aspects of IP addressing. It concludes that, despite some technical shortcomings, IP addresses are functionally similar to other types of PII and should be similarly protected in order to protect online privacy."

Would this still be a crime if “acceptable use” could change without notice?

Breaching an AUP a Crime In Western Australia

"A recent court case highlights that breaching an acceptable use policy at work could land you in court in Western Australia: a police officer doing a search of the police database for a friend was fined — not for disclosing confidential police information, but for unlawful use of a 'restricted-access computer system' — cracking. More worryingly for West Australians, this legal blog points out that breaching any Acceptable Use Policy would seem to be enough to land you in jail for cracking — for example, using your internet connection to break copyright."

(Related) How about repeatedly changing how your private information is shared?

Facebook Now Shares Phone Number & Address With Third-Party Apps

Facebook recently announced on its developer blog that it will now be "making a user's address and mobile phone number accessible as part of the User Graph object." In other words, the site will now let third-party applications (think Farmville or that spammy app your friends keep falling for that promises to show them who is stalking them on Facebook) access your contact information.

"Because this is sensitive information," reads the announcement, "[...]permissions must be explicitly granted to your application by the user via our standard permissions dialogs." Take a look at the xample permission dialogs box, however, and tell us if you think this is enough.

Cyber Revolution a la Twitter? “The Twits are coming! The Twits are coming!”

Tunisia’s Jasmine Revolution: Spreading Fear Among Arab Dictators

(Related) How could you know if they are coming for you?

Monday, January 17, 2011

How to Use Twitter's Advanced Search Options

First, this is not one of those "Twitter will save education" posts. That said, Twitter can be useful for finding resources that can help you as a teacher. The first step in using Twitter is to develop a nice network of people that you interact with, commonly referred to as a personal learning network or PLN. Here are eight ways to develop a PLN. Once you develop a PLN you have a great place to ask questions and share resources. But even then sometimes you won't get quite what you're seeking. In those cases you can turn to Twitter Advanced Search to see what people outside of your PLN have to offer.

Mashable recently produced a video demonstrating how to use Twitter Advanced Search. This three minute video covers what you need to know in order to take advantage of all the information shared on Twitter.

What do I tell my wife when thousands of women start calling for a date? (Fortunately, she will easily believe they are confusing me with someone else...)

Dating Site Creates Profiles From Public Records

"Online dating company Gotham Dating Partners has announced plans to create profiles for non-registered individuals based on publicly available information from social networking sites, e-mail registries, mailing lists, marketing surveys, government census records, real estate listings and business websites. Although the Australian Privacy Commissioner has warned that the automatic creation of identifiable profiles of individuals without their knowledge is 'not good privacy practice,' Gotham Dating Partners does not expect to face any privacy issues from the move, which is expected to boost its membership from 6.5 million to 340 million worldwide."

For my Statistics students. What percentage of students have mental health problems?

New Study Links Video Games and Mental Problems

"A new study published today in Pediatrics Journal conducted in Singapore on three thousand children in grades third, fourth, seventh and eighth claims that one in ten are video game addicts and almost all of those suffer mental health problems. This comes conveniently after the suspect in the Tucson shooting has widely been reported as an online gamer. Among the accusations from the study are that playing video games leads to lower school performance and fewer social skills while exacerbating existing depression, anxiety and social phobias. Gamasutra reports that the Entertainment Software Alliance is already criticizing this study saying 'Its definition of 'pathological gaming' is neither scientifically nor medically accepted and the type of measure used has been criticized by other scholars. Other outcomes are also measured using dubious instruments when well-validated tools are readily available. In addition, because the effect sizes of the outcomes are mainly trivial, it leaves open the possibility the author is simply interpreting things as negatively as possible.' It seems that the doctors are still disagreeing on whether or not gaming causes problems."

For my Ethical Hackers: Why take public transportation when you can drive a Lexus?

Car Theft by Antenna

Sunday, January 16, 2011

Clearly we need a model. Is this one adequate?

Understanding Proposed Models for Privacy

January 15, 2011 by Dissent

Andy Serwin, who recently published the article, “The Federal Trade Commission and Privacy: Defining Enforcement and Encouraging the Adoption of Best Practices” (available on SSRN), has a new blog post, “Understanding Proposed Models for Privacy.”

I can see already that it will take me at least a few cups of coffee to work my way through his post, but I want to pull out one section here so that my blog readers will understand why I think we should all be reading and discussing his approach and ideas:

There are some that have interpreted my Privacy 3.0 article, first published over 3 years ago as a chapter in my privacy treatise, as advocating purely a focus on sensitivity and ignoring other issues. If this were true, I would have called the article Privacy 3.0—The Principle of Sensitivity. I did not because I believe that while sensitivity is extremely important, and data classification is the first step in the analysis, it is truly only the first step, which is why I chose the word proportionality.[11]

In Privacy 3.0 I argued that it was widely recognized that the current theoretical construct of privacy—Prosser’s tort-based enforcement/accountability model—had failed. What was needed was a model that provided appropriate, but not over or under-inclusive protection, particularly in the rapidly changing Web 2.0 world where information sharing was the basis of a number of now ubiquitous services, such as Facebook.

I also recognized that society would gain benefit from information sharing, though there should be restrictions, or use-limitations, on the sharing.

Instead, a theory of proportional protection places higher restrictions and access barriers on truly sensitive information that either has limited or no use to third-parties and has great capacity to damage individuals and society, while simultaneously permitting the necessary and appropriate access to those having a legitimate need to know certain information, particularly when that information is less sensitive. Proportionality also has the advantage of minimizing the societal impact of privacy issues because enforcement and compliance will be focused on the most appropriate levels of sensitive information.[12]

In other words, use-limitations should be proportional to the sensitivity of data.

While an examination of data elements for sensitivity could lead to improving privacy protection, that model did not seem to provide prospective guidance. As such, I proposed creating four tiers—highly sensitive; sensitive; slightly sensitive; and non-sensitive. By creating these tiers, one could associate certain use-restrictions and enforcement with each tier. As noted below, I did not simply focus on sensitivity as part of proportionality, but rather a broader set of issues that needed to be defined once the four tiers of information were created:

Thus, there are common elements that I will be discussing regarding each tier. These include:

  • whether information can be gathered without notice or consent;

  • whether consent must be opt-in or opt-out;

  • the effect of consent;

  • the types of processing that can be done;

  • can information be gathered under false pretenses;

  • are there time restrictions upon the retention of the data;

  • data security requirements;

  • data destruction requirements;

  • what steps are required, or permitted, to mitigate any mishandling of information; and

  • penalties for misuse of the information, including the imposition of statutory penalties in certain cases.

Read the whole article on Privacy & Security Source.

(Related) "Never tell anybody outside the family what you're thinking..." Don Corleone to Sonny

Can You Tell Your Own True Story Even If It Impinges on the Privacy of Your Lovers, Friends, and Family?

January 15, 2011 by Dissent

One of the limitations on ability to keep some things private is that the information may be revealed by family members. As mentioned in previous blog entries on this blog and more recently on in the context of genetic issues, your private information may be revealed in a number of legal, however unfortunate, ways.

Attorney Mark Fowler has an interesting blog entry about this topic. It begins:

Autobiographers and memoirists sometimes face thorny legal issues when they write about aspects of their own lives that are inseparably intertwined with the private lives of others. Can a woman truthfully describe the intimate details of her sex life if, in doing so, she identifies her partner and aspects of his life (adultery, promiscuity, kinkiness?) he would prefer to keep forever secret? Can a gay man write about his HIV-positive status if, in doing so, he effectively discloses that his partner is also infected with the virus? The answer is an unsatisfying: “Sometimes — provided it is done the right way.”

Read more on Rights of Writers. It’s a fascinating and complex issue and Fowler discusses some cases to clarify how courts have approached the situation when right to privacy may collide with a speaker’s right to tell their own life’s story.

Cyber War Interesting but speculative. This is how it could have been done, but could we keep the secret? Past experience suggests we could not.

New York Times Reports US and Israel Behind Stuxnet

"Confirming heavy speculation in the Slashdot community, the New York Times reports that joint US-Israeli efforts were almost certainly behind the recent Stuxnet attack on Iran's nuclear program."

The article stops just short of saying in so many words that Israeli is the doer, but leaves little doubt of its conclusion.

You win some...

Court: Tucows doesn’t have to reveal name of user of privacy service

January 16, 2011 by Dissent

O’Raghallaigh of Managing Intellectual Property notes that the Court of Appeals for the Ninth Circuit affirmed a lower court ruling in Balsam v. Tucows holding that Tucows was not obliged to reveal the identity of one of their registrants who used the firm’s Angeles privacy protection service.

Balsam had sought the identity of the individual who sent him a lot of spam, and while the court was sympathetic, it offered him no legal joy:

There is no simple remedy for the vast number of unsolicited emails, popularly known as “spam,” that fill our electronic inboxes daily. Even though federal and state legislatures have adopted various laws to combat this problem, “spammers” continue to find new ways to advertise. Daniel Balsam, a victim of spam, seeks an alternative method of enforcement by bringing claims against the registrar of a domain site that bombarded him with more than 1,000 unwanted emails advertising a pornographic website. He claims that the registrar utilizes a system to hide the identity of spammers, making it difficult to identify the spammer. We consider Balsam’s claim that he is an intended third-party beneficiary of an agreement between the registrar and the Internet Corporation for Assigned Names and Numbers (“ICANN”). Under Balsam’s theory, the agreement’s provisions on wrongful use of domain names inure to his benefit. Although his approach is novel and creative, it cannot survive a motion to dismiss.

...and you lose some.

Our View: Court hangs up on Fourth Amendment

January 16, 2011 by Dissent

An editorial in the Appeal- Democrat addresses the Ninth Circuit decision in Diaz:

The California Supreme Court has expanded law enforcement authority at the expense of privacy and personal liberty by allowing police to confiscate and search cell phones of people they arrest without first obtaining a search warrant.

In a 5-2 decision Jan. 3, the court held that cell phones are “entitled” to inspection by law enforcement upon an arrest because the devices are considered “immediately associated with (the arrestee’s) person.” The majority opinion in the case, People v. Diaz, ruled that “lawful custodial arrest justifies the infringement of any privacy interest the arrestee may have in property immediately associated with his or her person at the time of arrest.” [Would that extend to data “in the Cloud?” Bob]

Essentially, the ruling treats a cell phone akin to clothing worn by an arrestee — a bad idea with troubling consequences.

Read more of the editorial in the Appeal-Democrat.