Saturday, February 05, 2011

Cyber War: Consider this “target selection”

Report: Hackers penetrated Nasdaq computers

Federal authorities are investigating repeated intrusions into the computer network that runs the Nasdaq stock exchange, according to a Wall Street Journal report that cited people familiar with the matter.

The intrusions did not compromise the tech-heavy exchange's trading platform, which executes investors' trades, but it was unknown which other sections of the network were accessed, according to the report.

"So far, [the perpetrators] appear to have just been looking around," one person involved in the Nasdaq matter told the Journal.

The Secret Service reportedly initiated an investigation involving New York-based Nasdaq OMX Group last year, and the Federal Bureau of Investigations has launched a probe as well. Investigators are considering a range of motives for the breach, including national security threat, personal financial gain, and theft of trade secrets, the newspaper reported.

… Investigators have not been able to follow the intruders' path to any specific individual or country, but people familiar with the matter say some evidence points to Russia, according to the report. However, they caution that hackers may just be using Russia as a conduit for their activities.

One downside risk of “push” updates...

Security Warning Over Web-Based Android Market

"Security researcher Vanja Svajcer is warning that cybercriminals may be particularly interested in stealing your Google credentials, after discovering a way of installing applications onto Android smartphones with no interaction required by the phone's owner. The new web-based Android Market retrieves the details of Android devices registered to the Google address, and automatically installs software onto the associated smartphones with no user interaction required on the phone itself. Svajcer summarizes: 'Google should make changes to the remote installation mechanism as soon as possible. As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed.'"

There is no Security Silver Bullet. Definitely an article worth reading...

Facebook HTTPS: False sense of security?

The rollout of Facebook's new Hypertext Transfer Protocol Secure encryption is about complete. (Elinor Mills described the feature in a post on her InSecurity Complex blog last week.) While encryption is a welcome addition to the social network, it is far from a Facebook security panacea.

To enable encryption in Facebook, click Account in the top-right corner and choose Account Settings. Select Change next to Account Security to view your current settings. Check the option under Security Browsing (https). You may also want to check "Send me an email" under "When a new computer or mobile device logs into this account" to be alerted to possible unauthorized access to your account.

Just another name for the technique that allows “Behavioral Advertising”

History Sniffing Code Collides With Privacy Concerns

February 5, 2011 by Dissent

E. Todd Presnell and Sepideh C. Khansari write:

History sniffing is now the centerpiece of a growing number of consumer class action lawsuits against name-brand companies seeking unspecified damages arising from invasion of privacy, common law tort claims, and statutory violations. And these history-sniffing actions and resulting lawsuits have attracted attention from other class action lawyers, academic researchers, investigative journalists, and federal regulators.

Read their discussion of cases in the courts on

Medicine is a business, just a poorly run business.

FTC Offers Businesses Tips for Dealing with Medical Identity Theft

By Dissent, February 5, 2011

The Federal Trade Commission, the nation’s consumer protection agency, has information for health care providers and insurers about how to help patients minimize the risk of medical identity theft and deal with the consequences if they become victims of it. Here are the highlights of the FTC’s new publication, Medical Identity Theft FAQs for Health Care Providers and Health Plans:

  • How would people know if they’re victims of medical identity theft?

  • What should health care providers and insurers do if they learn that a patient may be the victim of medical identity theft?

  • What should health care providers and insurers tell a patient who is the victim of medical identity theft?

  • How can health care providers and insurers help patients deter, detect, and defend against medical identity theft?

Source: FTC

[From the FTC website:

What should I do if I learn that a patient may be a victim of medical identity theft?

Conduct an investigation. For example, if your billing department gets a call from a patient who claims she was billed for services she didn’t receive, review your records relating to the services performed and any supporting documentation that verifies the identity of the person receiving the services. You also should review the patient’s medical record for inconsistencies.

If you determine there was medical identity theft, notify everyone who accessed the patient’s medical or billing records. Tell them what information is inaccurate in the patient’s files, and ask them to correct the records.

[I would like to believe that “inconsistencies” would be immediately recognized by my doctor. “Well, it looks like your appendix grew back...” I'm much less confident that providers would know who had accessed my records, and I have no confidence that they could insure corrections were made. Bob]

Another “exception”

Court: Husband’s Access of Wife’s Email to Obtain Information for Divorce Proceeding is not Outrageous

February 4, 2011 by Dissent

Venkat Balasubramani discusses a case in Arkansas:

Miller v. Meyers, 09-cv-6103 (W.D. Ark.; Jan 21, 2011)

This case presents another fact pattern involving an increasingly common twist to the modern divorce proceeding – someone surreptitiously accesses his or her spouse’s email and on-line accounts to gather information to be used in a family law proceeding. The now ex-spouse brings a claim for violation of statutes protecting the privacy of communications. Here, the ex-spouse gets summary judgment on her Stored Communications Act claim, and the parties shortly settle after the court’s ruling.


Finally, the court rejects plaintiff’s claims for intentional infliction of emotional distress, finding that defendant’s conduct was not shocking or outrageous. Here the court throws out a zinger:

Defendant’s conduct of monitoring the internet traffic on his home network and using a keylogger to access his then wife’s emails, and then using copies of those documents in divorce and custody proceedings is not extreme and outrageous conduct. A husband prying into his wife’s email, after learning that she was engaging in conversations and photo sharing, and then using damaging emails in a divorce and custody proceedings can hardly be considered “extreme and outrageous,” “beyond all possible bounds of decency,” or “utterly intolerable in a civilized society.”

Say what? I guess all is fair in love and war (including violating federal statutes), in this court’s view.

Read more on Technology & Marketing Blog.

What really struck me about this case is how civil it all was. if this was Michigan and not Arkansas, the snooping spouse might be charged with a felony. So what would this Arkansas judge say – that felonious behavior is neither extreme nor outrageous conduct in a marriage?

Will anyone notice?

The Personal Data Protection Act: Everyone Has Something to Hide

February 4, 2011 by Dissent

Wendy Kaminer comments that we all need to be more concerned about protecting our privacy from state or government surveillance. A bill introduced in the Massachusetts legislature offers an opportunity for Massachusetts residents to push back against increasing surveillance and fusion centers:

Massachusetts has a chance to take the lead in protecting individual privacy and First Amendment rights. A Privacy and Personal Data Protection Act aimed at limiting the reach and secrecy of fusion centers has recently been introduced in the state legislature. It would prohibit data collection involving someone’s political or religious views, associations or activities [Except for things like Red Light cameras, which are triggered by an “illegal event” and “information” (evidence?) gathered only to identify the perpetrator. Bob] absent reasonable suspicion of criminal conduct, and it would afford people limited rights to access the information stored about them. Federal agents could still exempt information from state privacy requirements by labeling it classified, and whatever data Massachusetts might be prohibited from collecting could be collected by other states or by the federal government (though perhaps not accessed by Massachusetts).

But if the individual rights protected by this bill would be limited, as a practical matter, efforts to pass it could raise awareness of fusion center abuses; and passage of the bill could have significant symbolic value. Fusion centers are part of a national surveillance regime that individual states lack power to restrain and federal authorities lack will to dismantle. We can only hope that the people cease accommodating, much less celebrating, the panopticon and begin to rebel against it.

Read her entire commentary in The Atlantic.

The ACLU has produced a fact sheet about the bill, available on their site. The bills are SD 1449 and HD 1539 in the Massachusetts Senate and House, respectively.

If this is not precisely a scam, it certainly pushes ethical boundaries...

UK File-Sharing Lawyers ACS:Law Shut Up Shop Ahead of Court

"Controversial legal firm ACS Law and its sole file-sharing client Media CAT have shut down their businesses, days before a ruling is due in a case they brought to the UK Patent Court. ACS Law is infamous for sending out letters to alleged illegal file sharers, demanding payment and threatening law suits. Now that ACS has a case before a judge, it's trying to drop the cases, and has now completely closed its doors. The defendants' lawyers are trying to keep the case going, in order to be able to claim back costs."

That sounds right in line with other recent ACS happenings, from getting upbraided by a judge to being blacklisted by an ISP, and even putting the brakes on the file-sharing cases themselves.

This confirms anecdotal information available since the early days (1980's) of “shareware.”

Piracy Boosts Anime Sales, Says Japanese Government Study

"A new study seems to confirm what a lot of the Slashdot crowd thinks, and the opposite of what the **AAs say: 'A prestigious economics think-tank of the Japanese government has published a study which concludes that online piracy of anime shows actually increases sales of DVDs. The conclusion stands in sharp contrast with the entertainment industry's claims that "illicit" downloading is leading to billions of dollars in losses worldwide. It also puts the increased anti-piracy efforts of the anime industry in doubt.' More specifically, '(1) YouTube viewing does not negatively affect DVD rentals, and it appears to help raise DVD sales; and (2) although Winny [a popular P2P program in Japan] file sharing negatively affects DVD rentals, it does not affect DVD sales.'"

An interesting little something for my IP lawyer friends...

Trademark Database Trademarkia Debuts Automatic Activity Notifications

Applications for the “new data” available on the Internet.

Giant Archaeological Trove Found Via Google Earth

"Using detailed satellite imagery available through Google Earth, Australian researchers have discovered what may be tombs that are thousands of years old in remote stretches of Saudi Arabia (abstract). 'Kennedy scanned 1240 square kilometers in Saudi Arabia using Google Earth. From their birds-eye view he found 1977 potential archaeological sites, including 1082 "pendants" — ancient tear-drop shaped tombs made of stone. According to Kennedy, aerial photography of Saudi Arabia is not made available to most archaeologists, and it's difficult, if not impossible, to fly over the nation. "But, Google Earth can outflank them," he says. Kennedy confirmed that the sites were vestiges of an ancient life — rather than vegetation or shadow - by asking a friend in Saudi Arabia, who is not an archaeologist, to drive out to two of the sites and photograph them. By comparing the images with structures that Kennedy has seen in Jordan, he believes the sites may be up to 9000 years old, but ground verification is needed."


Algorithm Contest Aims To Predict Health Problems

"The April 4 launch of the $3 million Heritage Health Prize has been announced by the Heritage Provider Network, a network of doctors. The competition challenges data hackers to build algorithms that predict who will go to the hospital in the next year, so that preventative action can be taken. An algorithm might find that somebody with diabetes, hypertension and high cholesterol is a 90 per cent risk for hospitalization. Knowing this, it might be cheaper [Words that result in funding... Bob] for an HMO to enroll them in an exercise program now rather than pay the likely hospital bill. The competition takes the same approach as the $1 million Netflix Prize, but solves a far more significant problem."

I think these have a place in the “Intro to IT” course...

Mozilla Announces Game On Competition Winners

"Mozilla has announced the winners of the Game On competition, a contest designed to encourage the development of games based on web technologies. In the various competition categories Far 7 won Best Technology, Sketchout won Best Aesthetics, Favimon won Most Original, Websnooker won Most Polished, and Robots Are People Too won Most Fun. Z-Type won the Community Choice category and Marble Run won Best Web-iness and Best Overall."

I always points these out to my students, then mention that I have better tools available through the college.

Plagiarisma: Easily Check Any Text For Plagiarism Online

Plagiarisma is a simple and free to use website that tests a given text for plagiarism. It does so by breaking down the text into various pieces and checking if those pieces can be found online on different websites. The search can be executed on Google, Bing, and Yahoo! search engines – it depends on your choice. The results are then displayed in a comprehensive and understandable manner.

You can enter text in three ways: by simply pasting/typing it, by entering the text’s URL, or by uploading a document file.

Similar tools: Plagium, The Plagiarism Checker, PaperRate and Copyscape.

Also read related articles:

Friday, February 04, 2011

Just in case you are feeling a bit paranoid, this should elevate “a bit” to “really really”

Ranking People Search Websites: How rank are they?

February 4, 2011 by Dissent

I’ve been on a bit of tear recently about aggregators and data brokers after discovering that profiles I had deleted from had seemingly reappeared. I am still in communications with, which is why I haven’t published any update on my complaint yet, but hope to be able to blog more about it in the near future. I’ve also been in correspondence with where you may not even be able to find a way to ask them not to show results for your name unless you can figure out where their relevant page is (hint: there’s no page linked from the homepage that refers to privacy at all – see how long it takes you to find the page with instructions).

Recently, I learned that the Privacy Rights Clearinghouse had compiled a list of 127 such sites and had annotated their list with some information about whether it’s possible to opt-out.

Even if all sites allowed it, why should consumers who did not consent to having their data aggregated and sold openly on the Internet have to opt out?

Why should stalking victims have to spend time – and in some cases money – and jump through hoops to try to prevent information about them being made readily available to their stalkers?

Yesterday, I learned that Abine, a company that specializes in removing personal information for people, had ranked a dozen of these sites on three factors:

  1. Ease of opting out

  2. Quality of customer service

  3. Respect for individual privacy

The “respect for individual privacy” was defined as “Does the site share your information with third parties, like advertisers? How much of your information do they display?”

You can read the results of their rankings on their web site.

Not surprisingly to me, Intelius was rated the worst, and with it, ZabaSearch and PeopleLookUp. Abine writes:

We lump these three together because, try as they might to pretend to be different companies, they’re all the same thing. In fact, Intelius feeds its data to dozens of different sites, but these are the biggest and best-known. These sites made it on our ultimate worsts list because of their outdated fax opt-out procedure and their time-wasting (and very transparent) insistence that you complete a separate opt-out for each of their “separate” companies. Whenever we delete a customer’s name from these sites, we have to send separate faxes addressed to different companies all at the same fax number.

It’s like a game we play: they pretend they’re separate entities who just happen to have the same fax number, and we pretend that we don’t notice and adhere to their ridiculous procedures. Game’s over, guys: we see what you’re doing. (And we’re not the first to figure this out: check out Steve Klingaman’s funny and exasperated post on “Attempts to Escape the Clutches of Online Data Aggregators.”)

Intelius (we’re just going to call all three of these sites “Intelius” for ease of typing) gets additional marks against it because of how readily it sells your information, spreading it all over the web. For instance,, a people search aggregator that collects information on you from multiple smaller databases, gets most of its information from Intelius.

In an exchange on Twitter yesterday, Jim Adler, Chief Privacy Officer for Intelius, agreed that the fax opt-out system was outdated and indicated that the firm was looking at a web-based approach to opt-out. While that would certainly be an improvement and I hope the company implements it in the immediate future, it still leaves consumers in the unenviable position of having to track down companies to opt-out instead of having one “Do Not Aggregate” or “Do Not Display” list that would prevent all people search sites from displaying profiles or results on the individual.

I would prefer that these sites got together and agreed on a common opt-out that they would all abide by – that if a user submits name/address/zip to a central “Do not aggregate or reveal,” all sites would respect that. Failing that, and despite the anti-regulation folks, I would support government regulation on this because these sites may cause harm in any one of a number of ways, not the least of which is increasing the risk of identity theft.

Because schools are better parents than parents...

Teachers’ search powers would ‘exceed those of police’

February 4, 2011 by Dissent

Wow. When I started reading this article, I wondered what third world country the news was from. Then I discovered it’s from the UK. Double wow.

New legislation will give teachers “unprecedented” powers to search pupils that will exceed those of the police.

The Coalition’s Education Bill, published last week, will dramatically extend teachers’ search powers, which human rights group Liberty has described as being “proportionate to terrorism investigations”.

The bill gives teachers the power to seize any electronic device – including mobile phones – and examine all data they may contain.

It also allows teachers to erase any files or data, if a member of staff believes it is reasonable to do so.

Announcing the bill last week, education secretary Michael Gove said the legislation signalled that the Coalition was “absolutely on the side of teachers”, and it would free staff to “impose the penalties they need to keep order”.

Read more on TES Connect.

(Related) Clearly, if schools can monitor student off-campus activity, a “real” government can monitor their employees non-work lives.

Anniston, Alabama To Censor Employees' Facebook Pages

"If you're a city employee in Anniston, AL, you'd better watch what you say on Facebook. Under a proposal being considered by the City Council, employees would be banned from posting anything 'negative' or 'embarrassing' about the city. Note that they aren't talking about official city pages here, but employees' personal pages. Anyone care to educate these clowns on the existence of the First Amendment?"

(Related) After all, sometimes monitoring is required by regulation...

Big Brother Friends Facebook

"Clara Shih, who created the first business app on Facebook in 2007, is back with a new venture: Hearsay Social, which makes Facebook, Twitter and LinkedIn more palatable to corporations by adding features like SEC and FINRA monitoring and compliance and analytics. Conversations are monitored around the clock, regardless of where employees access pages from — work, home or mobile — and workflow tools let companies approve or suggest content before it appears. Those features appear to be making financial companies a little more comfortable Facebooking, as State Farm and Farmers Insurance are two early customers. Shih is backed in the new venture by veterans of Facebook, Twitter and YouTube."

“Hey, you made the data public!”

Dating’ Site Imports 250,000 Facebook Profiles, Without Permission

February 3, 2011 by Dissent

Ryan Singel reports:

How does a unknown dating site, with the absurd intention of destroying Facebook, launch with 250,000 member profiles on the first day?


You scrape data from Facebook.

At least, that’s the approach taken by two provocateurs who launched this week, with profiles — names, locations and photos — scraped from publicly accessible Facebook pages. The site categorizes these unwitting volunteers into personality types, using a facial recognition algorithm, so you can search for someone in your general area who is “easy going,” “smug” or “sly.”

Or you can just search on people’s real names.

The duo behind the site say it’s art, not commerce.


Cirio and Ludovic say they will take down a user’s profile, if a person asks and the site doesn’t have any indication they are actually trying to make any money. Instead, it’s part of a series of prank sites, the first two of which aimed at Google and Amazon, intended to make people think more about data in the age of internet behemoths.

Read more on Epicenter.

Adding a fake mustache isn't enough?

The Deidentification Dilemma: A Legislative and Contractual Proposal

February 3, 2011 by Dissent

Bob Gellman always provides a lot of food for thought (see, for example, his recent comment on another post and the article he links to). Another one of his papers, mentioned in a past post, is now published in the Fordham Intellectual Property, Media & Entertainment Law Journal (2011, vol 21, 33-61) and is available online: The Deidentification Dilemma: A Legislative and Contractual Proposal. Here’s the abstract:

Deidentification is one method for protecting privacy while permitting other uses of personal information. However, deidentified data is often still capable of being reidentified. The main purpose of this article is to offer a legislative-based contractual solution for the sharing of deidentified personal information while providing protections for privacy. The legislative framework allows a data discloser and a data recipient to enter into a voluntary contract that defines responsibilities and offers remedies to aggrieved individuals.

Thanks to the World Privacy Forum for making me aware of this.


UK: Patients are “misled” over confidentiality of health e-records, say Oxford researchers

By Dissent, February 3, 2011

Tony Collins reports:

Researchers from Oxford University say that patients are not being adequately informed about possible secondary uses of their medical data for research and are “misled about the level of anonymisation of their data and the likelihood of re-identification”

The criticism is in a paper, “The limits of anonymisation in NHS data systems“ which was published yesterday by the British Medical Journal [2 February 2011].

Read more on Computerworld (UK)

Because everyone needs to be anonymous?

Hotmail Launches Accounts You Can Throw Away

"Today, Hotmail is getting a new feature aimed at 'e-mail enthusiasts,' which lets anyone create multiple e-mail accounts that can be read, replied to, and managed from their everyday e-mail inbox. These additional e-mail addresses can be had in the same manner as signing up for new accounts, but they require no extra log-ins or upkeep. ... The idea is to give users a safe way to provide third parties with an e-mail address, without giving up the address they've provided to family and friends, which, if compromised, can end the usefulness of that particular account. Each user will be able to create up to five aliases, any of which can be deleted and replaced with another at any time. Over time, Microsoft will increase that limit to 15 aliases per account, making it so that the true heavy users won't need to juggle between two or more Hotmail accounts."

I wonder how many lawyers will submit questions?

Questions about HIPAA? CDT wants to know.

By Dissent, February 3, 2011

From the Center for Democracy and Technology:

As “Health 2.0″ tools – such as healthcare apps on smartphones – become more common, it’s increasingly important for both developers and patients using these tools to learn how HIPAA protects patient medical data. Yet it is not entirely clear how HIPAA intersects with many emerging services that use digital health data. CDT launched a project to get information on what areas of HIPAA are unclear to the Health 2.0 community. If you’re a healthcare provider, Health 2.0 developer, or e-patient, and you have questions about how HIPAA affects your rights and services, please submit them to CDT. We will use these questions to urge the Office of Civil Rights (which enforces HIPAA) to provide more clarity.

“Unlimited means unlimited for certain values of unlimited...” Will there be a “market for minutes” where the bottom 5% can sell time to the top 5%?

Verizon To Throttle High-Bandwidth Users

"Verizon has enacted a new policy today that allows them to throttle 'high' bandwidth users on their network. We're not sure exactly what 'high' means but it is probably over 2GB of data per month. This comes as the iPhone launches on Verizon's network. The policy is said to only affect the top 5% of data users on the network. When these 5% of users hit the soft limit they will be throttled during peak times of the day. From the note sent to customers: 'Verizon Wireless strives to provide customers the best experience when using our network, a shared resource among tens of millions of customers. To help achieve this, if you use an extraordinary amount of data and fall within the top 5% of Verizon Wireless data users we may reduce your data throughput speeds periodically for the remainder of your then current and immediately following billing cycle to ensure high quality network performance for other users at locations and times of peak demand. Our proactive management of the Verizon Wireless network is designed to ensure that the remaining 95% of data customers aren't negatively affected by the inordinate data consumption of just a few users.'"

The Internet Kill Switch: If it isn't really going to protect infrastructure, how will President Mubarak use it? “We never let our ignorance of technology stop us from legislating technology.”

No, Hackers Can’t Open Hoover Dam Floodgates

The U.S. Bureau of Reclamation is shooting down a key legislative talking point: that the internet “kill-switch” legislation is needed to prevent cyberterrorists from opening the Hoover Dam’s floodgates.

The brouhaha started last week, when legislative aides on the Homeland Security and Governmental Affairs committee offered Threat Level examples of why the Protecting Cyberspace as a National Asset Act was needed. The bill, one aide said, would give the president the power to force “the system that controls the floodgates to the Hoover Dam” to cut its connection to the net if the government detected an imminent cyberattack.

(Related) If President Obama ever pushes the “Internet Kill Switch,” the younger generation will take to the streets!

PS3 Piracy Threats Cause Phone-Home DRM

"The last time game developer Capcom tried to impose Internet-based copy protection on one of its games, it was forced to backtrack over a storm of complaints. In that instance Final Fight: Double Impact was hobbled with a piracy-busting scheme which phoned home every time the game was booted, but Capcom forgot to mention that little nugget of information to potential purchasers — an omission which eventually led to the DRM scheme being hastily withdrawn. The company has decided not to repeat the mistake with its latest release, Bionic Commando Rearmed 2, by making it clear that the game won't work unless it gets a sign-off from the company's servers."

...and people in my generation still use quill pens...

February 03, 2011

Pew: Generations and their gadgets

Report: Generations, Mobile, Seniors - Generations and their gadgets, by Kathryn Zickuhr, Feb 3, 2011

  • Many devices have become popular across generations, with a majority now owning cell phones, laptops and desktop computers. Younger adults are leading the way in increased mobility, preferring laptops to desktops and using their cell phones for a variety of functions, including internet, email, music, games, and video. Among the findings:

  • Cell phones are by far the most popular device among American adults, especially for adults under the age of 65. Some 85% of adults own cell phones overall. Taking pictures (done by 76% of cell owners) and text messaging (done by 72% of cell owners) are the two non-voice functions that are widely popular among all cell phone users.

  • Desktop computers are most popular with adults ages 35-65, with 69% of Gen X, 65% of Younger Boomers and 64% of Older Boomers owning these devices.

  • Millennials are the only generation that is more likely to own a laptop computer or netbook than a desktop: 70% own a laptop, compared with 57% who own a desktop.

  • While almost half of all adults own an mp3 player like an iPod, this device is by far the most popular with Millennials, the youngest generation—74% of adults ages 18-34 own an mp3 player, compared with 56% of the next oldest generation, Gen X (ages 35-46).

(Related) I suppose it could be worse...

An Illustrated Evolution Of Media Content (Infographic)

Darwin was right. To really mis-quote Santayana: “Those who cannot understand technology are condemned to death by technology.”

'Death By GPS' Increasing In America's Wilderness

"Every year, more and more Americans are dying in deserts and wildernesses because they rely on their GPS units (and, to some degree, their cellphones) to always be accurate. The Sacramento Bee quotes Death Valley wilderness coordinator Charlie Callagan: 'It's what I'm beginning to call death by GPS ... People are renting vehicles with GPS and they have no idea how it works and they are willing to trust the GPS to lead them into the middle of nowhere.'"

Thursday, February 03, 2011

A real theft of virtual treasure. The same Economic laws apply in the virtual world.

Hacker Steals $12 Million Worth of Zynga Poker Chips

Gamasutra reports that a 29-year-old British man has been convicted of hacking into Zynga's game servers and helping himself to 400 billion virtual poker chips.

"'The defendant sold around one third of the 400 billion poker chips, and looking at the auction history where one can purchase such items, he was selling them for around £430 ($695) per billion,' said prosecutor Gareth Evans, according to a report from local newspaper Herald Express. Sold legitimately through Zynga, the full amount of chips would have brought in some $12 million. The prosecutor estimated that if Mitchell sold all of the virtual chips on the black market, he would have made a fraction of that, around £184,000 ($297,000). Evans admitted that valuing virtual currency can be difficult and that the company was not actually deprived of tangible goods, but he said that the theft could still affect the developer by indirectly causing legitimate online gamers to stop playing Zynga Poker or its other games."

This confirms my speculation that the “New” machines are really just a software tweak of the old machine displays. Apparently, this was disclosed but not clearly reported. I need better sources – or I need to read more carefully.

EPIC Files Lawsuit for Details on New Passenger Screening Devices

February 3, 2011 by Dissent


EPIC has filed a Freedom of Information Act lawsuit against the TSA for unlawfully withholding documents about software modifications to the Full-Body Scanners. EPIC submitted requests for these documents in June 2010 and October 2010. In response to mounting public criticism about the passenger screening program, the TSA recently announced that it would use “Automatic Target Recognition” software to mask the nude images of airline travelers that TSA officials currently view. However, documents obtained by EPIC in an earlier Freedom of Information Act lawsuit established that these procedures have the capability to store and record unfiltered images of passengers. EPIC has since filed a lawsuit to suspend the controversial screening program. The new case is EPIC v. Dep’t of Homeland Security, No. 1:11-cv-00290.

Bet you didn't know that until recently, when it came to Privacy, cell phones had no principles.

International Cellular Network Industry Association Releases Privacy Principles

February 3, 2011 by Dissent

Andrew Hoffman writes:

Hot on the trail of the FTC’s recent report on privacy, the GSMA, the London-based industry association representing over 800 cellular network operators worldwide, released its “high-level” Mobile Privacy Principles (the “Principles”) on January 27, 2011. The Principles were released with the goal of creating a “robust and effective framework for the protection of privacy” to promote users’ confidence and trust in mobile applications. These Principles encourage a “privacy by design” approach to mobile privacy and encourage a consistent and harmonized approach to privacy across mobile services and applications. Such Principles are highly relevant after the surge in mobile computing made possible by mobile devices, such as the iPhone, Blackberry, and Droid.

The two boldest aspects of the Principles are found in the definitions—namely, in how “personal information” is defined and in the broad responsibility of privacy espoused by the Principles.

Read more on Proskauer’s Privacy Law Blog.

[From the report:

Personal Information

a. Any data that is collected directly from a user (e.g. entered by the user via an application’s user interface and which may include name and address, credit card details)

b. Any data about a user that is gathered indirectly (e.g. mobile phone number, email address, name, gender, birth data, location data, IP address, IMEI, unique phone ID)

c. Any data about a user’s behaviour (e.g. location data, service and product use data, website visits)

d. Any user-generated data held on a user’s device (call logs, messages, user-generated images, contact lists or address books, notes, and security credentials)

Interesting that they had not already accessed available data. More cynical view: All that “concern” about handing data to the US was only for show...

EU wants air passenger data for terrorism probes

February 2, 2011 by Dissent

The European Commission proposed Wednesday that airlines provide EU governments with data about travelers flying in and out of the bloc, to help their efforts to combat terrorism and organized crime.

EU airlines already share passenger data with law enforcement officials in the United States, Canada and Australia, and the EU executive argued that pooling information in the 27-member bloc would make its use more efficient.

Read more of this Reuters report on WHNT.

Attention President Obama...

No Internet “kill Switch” For Australia

"Well, it looks as though at least some Governments have a backbone. Egypt switched off its internet to stop protests over the past few days, and the US Government is considering legislation that will give the President 'kill switch' powers over the internet as well. But in Australia, Communications Minister Stephen Conroy — best known for his attempt to filter the country's internet for child pornography and the country's flagship national fibre broadband rollout, says such a scenario couldn't occur." [Perhaps he is just technologically naive? Bob]

That didn't last long. “Oh gosh! Citizens can read? We better pull the bill.”

Usage Based Billing In Canada To Be Rescinded

"The Prime Minister of Canada and the Minister of Industry are set to reverse a ruling by the CRTC (Canadian Radio and Television Commission) allowing big Cable and Telecom companies to charge based on bandwidth usage. The ruling applied to both retail customers and smaller ISPs buying bandwidth wholesale from the major companies. The head of the CRTC has been called to testify before cabinet on why they want to allow the big internet providers to do this. In this case the elected government agrees with the very large number of angry Canadians that this was bad for competition. Most Canadians see this as a bureaucracy aided cash grab with very suspect timing since companies like Netflix are starting to move into the Canadian market (big cable companies lowered caps and increased usage fees a week before Netflix started Canadian operations). The CRTC has a fair number of ex-industry executives on the board."

The other side of that coin?

WikiLeaks Nominated For 2011 Nobel Peace Prize

"Whistle-blower site WikiLeaks has been nominated for the 2011 Nobel Peace Prize by a Norwegian politician who cited its role in freedom of speech, news agency NTB reported Wednesday. 'WikiLeaks is one of this century's most important contributors to freedom of speech and transparency,' parliamentarian Snorre Valen said in his nomination. Valen cited WikiLeaks' role in disclosing the assets of Tunisia's former president Zine El Abidine Ben Ali and his nearest family, contributing to the protests that forced them into exile."

(Related) Yet another side to that coin? Perhaps an edge?

Documents in Julian Assange Rape Investigation Leak Onto Web

A curiosity? Are they saying they can't trust the scientific conclusions they are paying for?

February 02, 2011

Salazar Announces New Scientific Integrity Policy and Designation of Departmental Science Integrity Office

News release: "Secretary of the Interior Ken Salazar today announced the establishment of a new policy to ensure and maintain the integrity of scientific and scholarly activities used in Departmental decision making. The policy follows on the Memorandum to the Heads of Departments and Agencies on Scientific Integrity issued in December and includes the designation of a Departmental Science Integrity Officer... As part of the implementation of the new policy, Secretary Salazar announced the appointment of Dr. Ralph Morgenweck, U.S. Fish and Wildlife Service Senior Science Advisor, to serve as the Department’s first Scientific Integrity Officer."

An important legal precedent? Does this apply to other genres?

Appeals Court: free Internet porn isn't unfair competition to pay sites

One day in March of 2009, the proprietors of were minding their own business, streaming free pornographic videos to the public, when they received notice of a lawsuit against them in the mail.

"The ubiquitous distribution of free adult videos through has had a massive negative impact on the business model of adult website proprietors," charged the complaint against Redtube owner Bright Imperial Limited of Hong Kong. "Now that consumers have the ability to watch high quality adult videos for free on, fewer are making the choice to pay other adult website proprietors for the same content."

Thus, has caused "many millions of dollars of damages to proprietors of adult entertainment websites," including those of the plaintiff in this instance, one Kevin Cammarata of Los Angeles, California. This, he charged, was a violation of California's Unfair Practices Act.

Whatever you think about Internet porn, if you have any sympathy for online commerce you will be glad to know that this lawsuit failed. A California Appeals court has dismissed the case as a Strategic Lawsuit Against Public Participation (SLAPP) suit—an action designed to censor free speech.

"The publication of a video on the Internet, whether it depicts teenagers playing football or adult entertainment qualifies as 'conduct in furtherance of... free speech," the court ruled last week. "...All of Cammarata's causes of action arise from Bright's conduct of placing speech on the Internet where it can be viewed for free by the public. This is the 'predatory pricing' that Cammarata complains of."

The judges also took a look at the Redtube business model, and after a fascinating review of the history of broadcasting and the Internet, rejected the plaintiffs unfair competition claims.


Free Music Can Pay as Well as Paid Music, YouTube Says

I wonder how many High Schools have even heard of this...

Competition aims to make cybergeeks cool

… The new Cyber Foundations program is the first cybersecurity competition in the U.S. aimed at individual high school students, said Alan Paller, director of research at the SANS Institute, a cybersecurity training center and sponsor of the competition. Student and high school registration is open until Feb. 18 for the competition, whose prizes include four full-ride college scholarships sponsored by the U.S. Navy, gift certificates, and letters of recognition from governors and members of the U.S. Congress.

Something to amuse my Statistics students... There is a difference between random and pseudo-random.

Statistician Cracks Code For Lottery Tickets

"Lottery Post has an interesting story about Mohan Srivastava, an MIT educated statistician who became intrigued by a particular type of scratch-off lottery ticket called an extended-play game — sometimes referred to as a baited hook — that has a tic-tac-toe grid of visible numbers that looks like a miniature spreadsheet. Srivastava discovered a defect in the game: The visible numbers turned out to reveal essential information about the digits hidden under the latex coating. Nothing needed to be scratched off — the ticket could be cracked if you figured out the secret code. Srivastava's fundamental insight was that the apparent randomness of the scratch ticket was just a facade, a mathematical lie because the software that generates the tickets has to precisely control the number of winners while still appearing random. ' It wasn't that hard,' says Srivastava. 'I do the same kind of math all day long.'"

A good idea because you wouldn't want your online and 'dead tree' resumes to contradict each other...

Resume Builder: Create A Resume From Your LinkedIn Profile

For the Swiss Army folder, because you rarely need it and when you do you can't find it?

10 Different Types Of Online Timers For Everyday Stuff

For illustrating math problems?

Ajax Animator: Browser based, simple animation tool (Chrome)

An indication that Cloud Computing is becoming a commodity?

Dell Releases Ubuntu-Powered Cloud Servers

"Dell has released two servers for the U.S. market that have been customized to run Ubuntu-based cloud services. The company has outfitted its PowerEdge C2100 and C6100 servers with Canonical's Ubuntu Enterprise Cloud (UEC), an implementation of the Eucalyptus private cloud software that runs on the Ubuntu Server Edition operating system."

Wednesday, February 02, 2011

No pressure! Note that it still requires you to click on a bogus link....

Internet Explorer bug puts 900 million users at risk

Microsoft has announced that all current versions of Internet Explorer are currently at risk of being hacked due to a flaw in the programme.

It is now known that the web browser, used by 900 million people across the globe, requires a software patch in order to defend against attack while Microsoft prepares a longer term fix, a massive security slip up by the firm.

A security advisory announcement was made on Friday highlighting scripting vulnerabilities affecting all versions of Windows.

It is not however thought that there has been any breaches of security so far: “The main impact of the vulnerability is unintended information disclosure,” said Angela Gunn, a Microsoft representative.

… The fault lies in the MHTML protocol handler, which is used by applications to render certain kinds of document.

According to the statement an attacker could, for example, construct an HTML link designed to trigger a malicious script and then persuade the targeted user to click on it.

Once this happens the script would then be able to run on the machine for the rest of that IE browser session, potentially collecting information from emails, sending the user to fake sites and generally interfering with the browser usage.

Ethical Hackers: Here's how you do it...

Egyptians Turn To Tor To Organize Dissent Online

"Even as President Obama prepares to follow Mubarak with his own 'internet kill switch', Egyptians were turning to the Tor anonymiser to organise their protests online. The number of Egyptians connecting to the internet over Tor rose more than five-fold after protests broke out last week before crashing when the Government severed links to the global internet. Information security researcher, Tor coder and writer of the bridge that allowed Egypt's citizens to short-circuit government filters, Jacob Appelbaum, told SC Magazine Egyptians were 'concerned and some understand the risk of network traffic analysis.' Appelbaum has himself been the subject of attention from US security services who routinely snatch his electronics and search his belongings when he re-enters the country and who subpoenaed his private Twitter account last December."

Which helps explain why Appelbaum is helping to organize a small fundraiser to get more communications gear into Egypt.

(Related) “Yes, it gives the President Mubarak-like power, but its different! Or at least it will be on paper...”

Senators decry link between Egypt, 'kill switch' bill

Three U.S. senators who want to give the president emergency powers over the Internet are protesting comparisons with the "kill switch" highlighted by Egypt's Net disconnection.

In a statement yesterday, the politicians said their intent was to allow the president "to protect the U.S. from external cyber attacks," not to shut down the Internet, and announced that they would revise their legislation to explicitly prohibit that from happening.

(Related) “Hey, we're the government. You can trust us!”

February 01, 2011

EFF Releases Report Analyzing Surveillance of Americans During Intelligence Investigations Conducted Between 2001 and 2008

Patterns of Misconduct: FBI Intelligence Violations from 2001 - 2008, A Report Prepared by the Electronic Frontier Foundation, January 2011

  • "In a review of nearly 2,500 pages of documents released by the Federal Bureau of Investigation as a result of litigation under the Freedom of Information Act, EFF uncovered alarming trends in the Bureau’s intelligence investigation practices. The documents consist of reports made by the FBI to the Intelligence Oversight Board of violations committed during intelligence investigations from 2001 to 2008. The documents suggest that FBI intelligence investigations have compromised the civil liberties of American citizens far more frequently, and to a greater extent, than was previously assumed. In particular, EFF’s analysis provides new insight into the number of Violations Committed by the FBI..."

So much for net neutrality? Or have they just gone away from “unlimited Internet?”

N.S. internet users mull over CRTC billing decision

The federal regulator gave Bell Canada the approval to implement so-called usage-based billing to wholesale customers — usually smaller internet service providers that rent portions of its network.

Customers of those service providers in Ontario and Quebec received notice this week that they would be able to stream or download only a fraction of the movies and data that they had previously been allowed under the same price plan.

"This is outrageous gouging," said Andrew Wright, who runs a non-profit internet provider in Halifax called Chebucto Community Net.

… "The sad point is that if people aren't careful of what they're doing online, they can rack up one serious bill and we've all heard stories about the cellular industry doing that," he said.

I wonder why no one in the US is doing this? We could easily “borrow” their criteria and evaluate state laws...

European Commission Finds Israeli Data Protection Law Provides Adequate Protection

February 1, 2011 by Dissent

Reporting from Israel, legal consultant Dr. Omer Tene writes:

On January 31, 2011, the European Commission formally approved Israel’s status as a country providing “adequate protection” for personal data under the European Data Protection Directive. The decision is restricted to automated international data transfers from the EU, as well as to non-automated data transfers that are subject to further automated processing in Israel. It will allow unrestricted transfers of personal data from the EU to Israel, for example between corporate affiliates or from European companies to data centers in Israel.

Israel joins a select group of countries, including Argentina, Canada, Switzerland, Andorra and several English Channel Islands, which have obtained similar status. A separate arrangement governs data transfers from the EU to the U.S. under the Safe Harbor framework.

Read more on Hunton & Williams Privacy and Information Security Law Blog.

“Hey, we got a good thing going here, why change?”

New Study Shows Persistence Of ‘Flash Cookies’

February 1, 2011 by Dissent

Joe Mullin reports:

The tracking uses of so-called “Flash cookies,” the data packets stored in the computers of users of Adobe (NSDQ: ADBE) Flash Player, started getting a lot more attention last year, when they were the focus of an article about online privacy in the Wall Street Journal, as well as severallawsuits. They were also mentioned as a privacy problem last month by the Federal Trade Commission.

The results from a new study suggest that “re-spawning,” one of the more troublesome practices around Flash cookies, is declining. But the same study showed that about 10 percent of the most-popular web sites may still be using Flash cookies to track users—and none of the companies that run those web sites would discuss what they’re using the cookies for.


1) after ignoring complaints for months, TSA announced earlier this month that they would be changing the machines. 2) no government hardware has ever been designed, tested and implemented in one month. 3) a minor software tweak, changing only how the data is displayed (but keeping the real images in storage somewhere) is a much more probable answer.

TSA debuts new full-body scanners

February 1, 2011 by Dissent

Ashley Halsey III reports:

New airport security scanners designed to be less intrusive than machines that captured near-naked images will debut at the Las Vegas airport Tuesday.

They’ll look just like the controversial scanners that were introduced last fall, but instead of sending a revealing image to be examined in a private security booth, new software will project a non-gender-specific silhouette on a small screen attached to the booth.

If the passenger is carrying any contraband items a red box will appear on the screen. Otherwise it will flash a green okay.

Read more in the Washington Post.

Ethical Hackers: What's taking you so long?

Newest PS3 firmware hacked in less than 24 hours

… Sony announced the release of Version 3.56 on Wednesday. That same day, game console hacker Youness Alaoui, aka KaKaRoToKS, tweeted that he had released the tools to unpack the files, allowing him to uncover the new version's signing keys.

Another resource discovered...

Ca: Management Ethics: Privacy issues

February 1, 2011 by Dissent

The Fall/Winter 2010 issue of Management Ethics (pdf) from has a nice collection of articles:

  • Why Privacy Matters - Chris MacDonald, Ph.D.

  • Privacy by Design: Achieving Consumer Trust and Freedom in the Information Age - Ann Cavoukian, Ph.D.

  • Hiring in a Social Media Age - Avner Levin, SJD

  • Privacy Law: Questions and Answers - Christine Lonsdale

...and we should be able to identify new/modified data instantly...

February 01, 2011

Abandoning Law Reports for Official Digital Case Law

Abandoning Law Reports for Official Digital Case Law, Peter W. Martin, Cornell Law School, January 25, 2011, Cornell Legal Studies Research Paper No. 11-01

  • "In 2009, Arkansas ended publication of the Arkansas Reports. Since 1837 this series of volumes, joined in the late twentieth century by the Arkansas Appellate Reports covering the state's intermediate court of appeals, had served as the official record of Arkansas's case law. For all decisions handed down after February 12, 2009, not books but a database of electronic documents “created, authenticated, secured, and maintained by the Reporter of Decisions” constitute the “official report” of all Arkansas appellate decisions. The article examines what distinguishes this Arkansas reform from the widespread cessation of public law report publication that occurred during the twentieth century and this new official database from the opinion archives now hosted at the judicial websites of most U.S. appellate courts. It proceeds to explore the distinctive alignment of factors that both led and enabled the Arkansas judiciary to take a step that courts in other jurisdictions, state and federal, have so far resisted. Speculation about which other states have the capability and incentive to follow Arkansas’s lead follows. That, in turn, requires a comparison of the full set of measures the Arkansas Supreme Court and its reporter of decisions have implemented with similar, less comprehensive, initiatives that have taken place elsewhere. Finally, the article considers important issues that have confronted those responsible for building Arkansas’s new system of case law dissemination and the degree to which principal components of this one state’s reform can provide a useful template for other jurisdictions."

The “software tool” claims to identify copyrighted material in your browser (only?) but you have to pay for the “universal license” first. Clearly the “universal license” isn't universal as the software will explain how to “purchase the rights” in real time and then records information to summarize violations (and perhaps phone that information home?)

February 01, 2011

New on - The Risky Business of Information Sharing: Why You Need to Care About Copyright

The Risky Business of Information Sharing: Why You Need to Care About Copyright: Copyright is an essential tool in the spread of new ideas, and the workplace has become ground zero for infringement. Ask employees up and down the corporate hierarchy, and they'll tell you that whisking information electronically to co-workers is integral to their jobs. Their employers will emphatically agree. But unauthorized swaps of information also carry enormous potential risk: Ordinary office exchanges, so natural to the digital world, can easily violate the copyright rights of others and bring costly lawsuits or settlements. Now the same technology that has dramatically defined the Internet age is drawing a new roadmap to compliance, with software tools that simplify adherence to copyright requirements.

Ethical Hackers: Is this enough to automate forgery?

National Treasures: Google Art Project unlocks riches of world's galleries

Google is bringing its "street view" technology indoors. With the announcement Tuesday in London of the Google Art Project, the Internet giant jumps into the online art arena with tools that will allow Web surfers to move through 17 of the most prominent art galleries in the world, with the option to look more closely at individual artworks, including some that will be digitized so exhaustively that individual paint strokes and hairline cracks in the surface will be visible.