Saturday, March 19, 2011

Forrest Gump sentenced...

(follow-up) Leader of Hacker Gang Sentenced to 9 Years For Hospital Malware

By Dissent, March 18, 2011

Kevin Poulsen reports that Jesse William McGraw, aka “GhostExodus,” has been sentenced for trying to install malware on the computer network at Northern Central Medical Plaza in Dallas, Texas. As reported previously, McGraw worked the medical facility as a night security guard and was caught, in part, because he videotaped himself and uploaded it to YouTube. [Stupid is as stupid does. Bob]

Additional earlier coverage on can be found here.

A what point do errors become serious? Can you say, “undue reliance?” Investigators do not rely on unverified “facts” – until they are in a database...

Top court to weigh privacy against government data needs

March 18, 2011 by Dissent

William Matthews reports:

Thanks to increasingly sophisticated communications technology and ever-expanding interconnected data bases, even small-town police can run detailed background checks to discover criminals during routine traffic stops.


But there’s a big problem with this instant access to information: A lot of what’s in the databases is wrong, says Marc Rotenberg, president of the Electronic Privacy Information Center.

In a brief filed for a case the U.S. Supreme Court will hear March 21, Rotenberg cataloged the errors he discovered in databases ranging from the FBI’s National Crime Information Center to the Homeland Security Department’s E-Verify system to intelligence data that commercial vendors collect and sell to federal and state agencies.

Read more on GovExec. EPIC’s brief is highly recommended reading.

There are two issues here, it seems. The first is that if you make a lot of data available to law enforcement, they will try to use it and concoct excuses or pretexts for using it. The second is that even if there is a legitimate reason to run a search on someone, the inaccuracies in the databases are so widespread and severe that they result in adverse consequences to innocent parties.

Which is a long way of saying, perhaps, that I don’t agree with the headline of GovExec’s story, as I can think of no reason for the government to need wildly inaccurate data.

Students have no rights.

What would happen if teachers searched student phones for “sexting” photos? Would they risk be charged with “Child Pornography?” Could they search a folder named “Correspondence with my Lawyer?”

UT: Alpine cell phone policy prompts school privacy, safety debate

March 18, 2011 by Dissent

Keeping tabs on what children and teenagers are doing and saying is hard enough for parents — let alone school teachers and administrators.

But when it comes to maintaining a safe learning environment, school officials say they try to balance the privacy of individual students with the safety of all.

Currently, students at Alpine School District have “no expectation of privacy in association with the use of the Internet,” while they’re using school computers. That’s typical of districts statewide, but a new policy at Alpine would extend that provision to personal devices like cell phones and mp3 players that have Internet capabilities.

That means if a teacher or administrator thinks a student is doing something online that breaks school rules or the law, they’ll be able to look at the phone to verify.

Read more on Deseret News.

For my Ethical Hackers

Dutch Court Rules WiFi Hacking Not a Criminal Offense

"Breaking in to an encrypted router and using the WiFi connection is not an criminal offense, a Dutch court ruled. (Original article in Dutch; English translation.) WiFi hackers can not be prosecuted for breaching router security. The judge reasoned that the student didn't gain access to the computer connected to the router, but only used the routers internet connection. Under Dutch law breaking in to a computer is forbidden. A computer in The Netherlands is defined as a machine that is used for three things: the storage, processing and transmission of data. A router can therefore not be described as a computer because it is only used to transfer or process data and not for storing bits and bytes. Hacking a device that is no computer by law is not illegal, and can not be prosecuted, the court concluded. "

Also for my Ethical Hackers...

Getting Past Censorship With Unorthodox Links To the Internet

"Savvy techies are finding ways to circumvent politically motivated shutdowns of the internet. Various groups around the world are using creative means like multi-directional mobile phone antennae and even microwave ovens to transmit internet traffic accross international borders."

For my Computer Security students. Always look for someone who has thought about a problem in depth...

A genius approach to web security

Song and her research team aren't looking to simply patch holes in the Internet that online baddies are constantly trying to penetrate. She takes a more holistic approach, designing technology tools that can act as building blocks for an overall secure computing experience -- on any device.

… Song's groundbreaking research has become the basis for two important platforms: BitBlaze, which analyzes malicious software code, and WebBlaze, which focuses on defending web-based applications and services against it. (The WebBlaze approach has been used in the design of mainstream web browsers.) Song is also working on the privacy side of things, so that people can trace where their sensitive data have been and know that it is either secure or has been sold or breached.

Song's hope is that BitBlaze, WebBlaze, and her privacy initiatives become fundamental Internet tools that are deployed when any person or company builds a new cloud-based service or overhauls an existing one.

The future has arrived. Now your computer no longer delivers “electronic minus mail”

The Pedants’ Revolt: Does The AP’s Killing Of E-Mail Mark A Worrying Escalation?

Daddy,” generations of children as yet unborn will ask, “where were you when the Associated Press removed the hyphen from the word ‘e-mail’?”

Friday, March 18, 2011

Perhaps the hacks are by e-Paparazzi? Perhaps they are “planned leaks” by the “star's” publicist? Perhaps no one cares?

Hacker Ring Targeting Young Hollywood Stars

March 18, 2011 by Dissent

The FBI is reportedly investigating a hacking ring that is attacking phones and computers of stars and stealing nude photos and other personal items.

The latest victim is apparently Scarlett Johansson, 26, who reportedly had a nude picture hacked from her iPhone.

Earlier this week “High School Musical” star Vanessa Hudgens had to release a statement after a batch of nude photos of her started circulating online. In the photos she is kissing another woman and posing nude.

Read more on MyFOXNewYork. TMZ mentions that an unnamed source indicates that there as many as 50 other celebrities may have already been victims, too.

As unfortunate as these types of breaches are, one wonders why they don’t serve as more of a wakeup call for people to not store nude photos and the like on their cell phones or portable devices. I guess it’s the “It couldn’t happen to me” mentality.

Interesting question. Should we treat public employees like professional athletes? (Minus the multi-million dollar salaries, of course.) We publish the athlete's Batting Average or Quarterback rating, or Free-Throw percentage... Personally, I think it might be fun to say, “Senator, it looks like you're in a Legislative Slump. You're only 2 for 26 on getting your bills passed...”

NC: Bill pits public right vs. privacy

March 18, 2011 by Dissent

Fred Clasen-Kelly reports:

A legislative proposal that would grant citizens access to performance evaluations and other details about government employees in North Carolina has pitted the public’s right to know against worker privacy.

At an open government conference Thursday, a city of Charlotte official blasted the proposal, saying it was “a complete invasion” of privacy.

“I don’t want everyone in Charlotte to know I had a bad year,” said Hope Root, a city attorney.

Read more in the News & Observer.

Nothing new?

Your Data Your Rights”

March 17, 2011 by Dissent

Statement by Vivianne Reding, European Commissioner For Justice:

Our Charter of Fundamental Rights and our Treaty make it clear that everyone has the right to the protection of personal data. This right is particularly important in today’s world – a world in which rapid technological changes allow people to share personal information publicly and globally on an unprecedented scale.

While social networking sites and photo sharing services have brought dramatic changes to how we live, new technologies have also prompted new challenges. It’s now more difficult to detect when our personal data is being collected. Sophisticated tools allow the automatic collection of data. This data is then used by companies to better target individuals. Public authorities are also using more and more personal data for a wide variety of purposes, including the prevention and fight against terrorism and serious crime.

The question today is how the Commission will ensure that privacy rights are put into action. I am a firm believer in the necessity of enhancing individuals’ control over their own data.

Peoples’ rights need to be built on four pillars:

The first is the “right to be forgotten”: a comprehensive set of existing and new rules to better cope with privacy risks online. When modernising the legislation, I want to explicitly clarify that people shall have the right – and not only the “possibility” – to withdraw their consent to data processing. The burden of proof should be on data controllers – those who process your personal data. They must prove that they need to keep the data rather than individuals having to prove that collecting their data is not necessary.

The second pillar is “transparency”. It is a fundamental condition for exercising control over personal data and for building trust in the Internet.

Read more of her statement on eGov Monitor. Have you guessed the other two pillars? They’re “privacy by default” and “protection regardless of data location.” [Attention Cloud providers! Bob]

Did I mention I like the way she thinks about much of this?


The Review of the EU Data Protection Framework v. The State of Online Consumer Privacy in the US

March 17, 2011 by Dissent

In a recent blog entry on EDiscoveryMap, Monique Altheim highlights some of the differences between EU and U.S. approaches to privacy regulation, contrasting the differences between yesterday’s Senate hearing on consumer privacy and a talk given by Viviane Reding, Vice President of the European Commission, Commissioner for Justice, Fundamental Rights and Citizenship, “The Review of the EU Data Protection Framework.”

While EU and U.S. privacy advocates seem to be at arm’s (pond’s?) length on the issue of a “right to be forgotten,” there are also significant differences in other aspects of how privacy is viewed and embodied within the laws and respective cultures. In many respects, American privacy advocates like myself are probably more comfortable with the European approach of viewing privacy as a fundamental human right. Instead, we find ourselves poring through legal decisions looking for any glimmer of recognition of any kind of right to privacy.

Read Monique’s commentary on EDiscoveryMap. It may help you get a better sense of the differences in our respective frameworks.

There is a mentality in the U.S. that usually resists following Europe’s lead. Maybe it’s a throwback to our revolutionary roots, but when it comes to privacy, the EU is way ahead of us in some respects.

This is significant. Those little devices with the number in the window are used to secure a lots of systems.

RSA's Servers Hacked

"EMC subsidiary RSA was the victim of 'an extremely sophisticated cyber attack' which resulted in the possible theft of the two-factor code used by their SecurID products."

The Boston Herald has a short article on the intrusion. Update: 03/17 23:54 GMT by T : Reader rmogull adds

"With all the hype that's sure the explode over this one, we decided to do a quick write-up to separate fact from speculation."

[From Yahoo answers:

The 6 digit code that you see on the token is generated using an algorithm that is exists in all tokens. The token also contains a clock and has a unique seed number. The current time and the unique seed are processed using the algorithm and produce the token code you see on the token. This is normally done 1 per minute. In this way a unique code is generated that appears to be random.

The server (Ace server), that is online and connected to whatever system you are logging on to, also knows the time and it also knows the unique seed number of your token. So it uses the same algorithm to calculate the code that you should see on your token. If they match then you are authenticated.

This may be worthy of a seminar by itself!

Yahoo to show how data used to target adverts

March 17, 2011 by Dissent

Tim Bradshaw reports:

Yahoo has launched a scheme in the UK to show visitors to its websites how their personal data are used to target advertising, the first such move by a large internet publisher ahead of the introduction of new European online privacy rules.

A year after its launch in the US, Yahoo’s “Ad Choices” icon will be added to advertisements on pages where its users log in to services such as Yahoo Mail and Messenger, some of its highest-value banners. Clicking on the icon prompts more information about who placed the advertisement, why it was shown and links to manage user preferences about targeted “interest-based” advertising.

Read more on Financial Times.

Good for Yahoo for doing this, too. I’d like to see them do this in the U.S.

The consensus so far seems to be: This won't work.

Commentary: The New York Times Paywall Is … Weird

The NYT paywall has arrived: it’s going up in Canada today, and then worldwide on March 28. The most comprehensive source for the gritty details is this FAQ, which does things like explain the difference between an item and a pageview. (A slideshow or a multi-page article is one “item,” no matter how many slides it contains.)

The NYT has decided not to make the paywall very cheap and porous in the first instance as people get used to it. $15 for four weeks might be cheap compared to the cost of a print subscription, but $195 per year is still enough money to give readers pause and to drive them elsewhere. And similarly, 20 articles per month is lower than I would have expected at launch.

As all entertainment media viewing shifts to the Internet, someone has to come up with a tool to find exactly what you want to watch, when you want to watch it.

Moki.TV Is The Ultimate, Personalized Guide To What’s Streaming On The Web

TV shows and movies are spread across a variety of websites, and platforms, including iTunes, Hulu, Amazon, Netflix and others, and it can be difficult to sort through all this fragmented content. Y Combinator-backed Moki.TV is launching today as a personalized guide to all TV, video and movie content on the web.

Moki.TV is a directory of all paid and free content included on Amazon’s streaming service, Netlfix, Hulu, iTunes, and others. At the moment, the site has 40,000 movies, and 60,000 TV episodes indexed; and this number is growing daily, says co-founder Matt Huang. Users can use the site to search for content and find where this content is streaming.

For the Techie-Toolbox

How To Create The Ultimate Boot CD For Windows

Thursday, March 17, 2011

“Hey, we gotta start teaching them young that they got no right to Privacy!”

US Ed Dept Demanding Principals Censor More

"Education Department officials are threatening school principals with lawsuits if they fail to monitor and curb students' lunchtime chat and evening Facebook time for expressing ideas and words that are deemed to be harassment of some students. Under the new interpretation of civil rights laws, principals and their schools are legally liable if they fail to curb 'harassment' of students, even if it takes place outside the school, on Facebook or in private conversation. When children are concerned, where is the line between protection and censorship?"

We have the technology, therefore we have to use it!

March 16, 2011

EPIC Urges Congress to Suspend Body Scanner Program, Require Public Comment Period

EPIC: "In a hearing before the House Oversight Subcommittee on National Security, EPIC urged Congress to suspend the use of airport body scanners for primary screening. EPIC said the devices were not effective and were not minimally intrusive, as courts have required for airport searches. EPIC cited TSA documents obtained in EPIC's FOIA lawsuit which showed that the machines are designed to store and transfer images, and not designed to detect powdered explosives. EPIC was joined on the panel by radiation expert Dr. David Brenner, who has frequently pointed out the radiation risks created by these machines. The TSA, which is a federal agency funded by taxpayer dollars and responsible for the body scanner program, originally refused to testify at hearing. Eventually they showed up. Chairman Jason Chaffetz, who had previously sponsored a bill regarding body scanners, grilled the TSA officials and said the hearing would continue with more questions. For more information see EPIC: Whole Body Imaging Technology and EPIC: EPIC v. DHS."

Another comment on Privacy

Senate Committee Holds Hearing on the State of Online Consumer Privacy

March 17, 2011 by Dissent

Nicole Friess has a recap of yesterday’s hearing on consumer online privacy:

On March 16, 2011, the U.S. Senate Committee on Commerce, Science, and Transportation held a full committee hearing on the state of online consumer privacy. The hearing was the first in a series of hearings the Committee will hold on consumer privacy in the 112th Congress. The hearing focused on online commercial practices that involve collecting, maintaining, using and disseminating large amounts of consumer information, some of it potentially very sensitive and private in nature.

Read her recap on InformationLawGroup.

I wonder if we'll see Dilbert move into Noprivacyville? Could be interesting.

Scott Adams Says Plenty Would Choose Life In Noprivacyville

"On the other end of the spectrum from Richard Stallman, Scott Adams (of Dilbert fame) speculates upon the advantages of living in a town with no privacy whatsoever. Everyone gets chipped and tracked online. 'Although you would never live in a city without privacy, I think that if one could save 30% on basic living expenses, and live in a relatively crime-free area, plenty of volunteers would come forward.'"

The latest “Sue me!” ploy?

Crazy Zediva streams movies only out on DVD

Want to stream a movie over the Internet that's not available for streaming on a service like Netflix or Amazon? Zediva can stream films that you can only get on physical DVDs--through a goofball workaround that actually has strong legal precedent.

Zediva rents you a DVD but keeps the DVD in a player in its own facility. You then control this player remotely from your computer, and the output is piped over the Net to you. Think of it as a wall of Slingboxes, available for rent. If you want to watch a movie online that's only available on disc because it's in the pre-streaming, DVD-sales-only "window," this will punch through that restriction.

“How do I charge thee, let me count the ways...”

British ISPs Could 'Charge Per Device'

"British ISPs could start charging customers depending on which device or which type of data they're using, according to a networks expert. 'The iPad created a very interesting situation for the operators, where the devices themselves generated additional loads for the networks,' said Owen Cole, technical director at F5 Networks. 'The operators said "If we have devices that are generating work for us, this gives us the ability to introduce a different billing model."' 'The operators launched special billing packages for it, which is in direct contravention to net neutrality,' said Owen. 'If things are left to just be driven by market economics, we could end up with people paying for the amount of data that they consume to every device and that would not be a fair way to approach the market.' Owen also foresees a billing system that charges less for non-urgent data, with an email costing less per bit than either Skype or video packets that need immediate delivery."


AT&T Will Charge You for Uncompleted Calls

Interesting free resource.

March 16, 2011

EURO-LEX Official launches of LII of India - 108 databases

"The Legal Information Institute of India (LII of India) was officially launched in Delhi on 9th March, 2011, followed by the first regional launch in Hyderabad on 11 March. Further regional launches will take place in Bangalaru and Kolkota over the next fortnight. Each launch is hosted by a partner National Law University. The official launch in Delhi was by Dr (Shri) M Veerappa Moily, Union Minister of Law and Justice, Government of India. Other Guests of Honour to speak at the launch included Dr Lachlan Strahan, Australian Deputy High Commissioner, Chief Justice Dipak Misra of the Delhi High Court, the Justice V P Reddi, Chairman of the Law Commission of India, and Prof Ved Prakash, Chairman of the University Grants Commission, as well as representatives of LII of India and of AustLII. The Delhi launch, at the Vigyan Bhavan, was hosted by the National Law University, Delhi (NLUD)...LII of India now has 108 databases (plus 8 virtual databases), with the recent additional of 59 databases of State and Territory legislation. It currently provides free online access to Indian legislation (63 databases), treaties (2 databases), case law (41 databases), law reform (1 database) and legal scholarship (9 databases). Further databases are being added." [Graham Greenleaf AM Professor of Law & Information Systems, University of New South Wales (UNSW)]

For the techie toolkit

How To Create Disk Images & Mount Them On A Virtual Drive [Windows]

For my Math students...

How the Japan Earthquake Made the Day Shorter

Not just for teachers, these videos show you how to use some nifty free software!

Tuesday, March 15, 2011

Loads of Great Teacher Training Videos

When you're trying to figure out how to use a new piece of software or a new web application, searching YouTube for how-to videos often returns some useful stuff. But for teachers there is a better place to turn to and that place is Russell Stannard's Teacher Training Videos. Russell Stannard's videos are screencasts in which he walks viewers through the process of using software and web applications from beginning to end. The videos are categorized by the purpose of the application such as blogging, podcasting resources, online quizzes, file sharing, IWB, etc. There are also categories for EFL and MFL.

[For example, here is a video on JING screen capture software:

Wednesday, March 16, 2011

An interesting strategy. Will users of HP hardware have the option to Opt-Out? Will users even know when they have been switched into the Cloud?

Apotheker sets HP's course: Heading for the cloud

Posted by Michael V. Copeland, Senior Writer

March 15, 2011 11:36 AM

It's been just over eight months since Mark Hurd left HP (HPQ) beneath an avalanche of tabloid covers. In that time, HP's stock has slid just over 10%, leaving investors wondering when and how the world's largest tech company can get back on course.

Hurd's replacement, Leo Apotheker, in his first major public speech since being named to the top HP spot in September, gave his answer to a gathering of press and analysts in San Francisco Monday afternoon. During a presentation that lasted a bit over 30 minutes, Apotheker outlined three major areas of focus for HP in the coming months and years: Cloud computing, a wide variety of Internet-connected hardware for consumers and businesses alike, and software, including pushing HP's (formerly Palm) webOS to hundreds of millions of PCs, tablets, printers and smartphones.

The vision Apotheker has is one where HP devices interact with an HP cloud. You get things done locally if that makes the most sense for the device and the task at hand, or via some cloud-based service if that is the smarter approach. The software that ties all the devices together, and hands off between your gadgets - tablet to PC, smartphone to printer – and between your work and home life will be webOS. HP sells two PCs and two printers every second. Starting in 2012, webOS will be shipping on all of them (in addition to smartphones and tablets). It's clear HP is serious about pushing webOS into the market, and talks about it like it's the Windows of the future, or more accurately the Windows, iOS and Android of the future. Think of it as the connective tissue for HP's cloud.

I didn't catch an earlier announcement, sorry. Looks like you could follow this using but you better read fast...

Twitter Event Mar. 16: #TAPtalk

March 15, 2011 by Dissent

TAP will be hosting a chat on Twitter under the hashtag #TAPtalk on March 16 from 2 pm to 3 pm, EST.

Their lineup of participants, who will ask and answer questions during the hour-long TAPtalk, includes:

  • Adam Thierer, Senior Research Fellow at Mercatus Center: @AdamThierer

  • Chris Hoofnagle, Director, Information Privacy Programs at UC Berkeley: @ hoofnagle

  • Ashkan Soltani, Independent Researcher and Consultant: @ashk4n

  • Jules Polonetsky, Co-Chair and Director at The Future of Privacy Forum: @JulesPolonetsky

  • Randy Picker, Professor at University of Chicago Law School: @randypicker

  • Justin Brookman, Center for Democracy & Technology: @JustinBrookman

  • Anurag Pandit, Product Manager, Internet Explorer

  • Shaun Dakin, Privacy Camp: @ShaunDakin

Just follow the conversation and tweet using the hashtag #TAPtalk.

(Related) Never saw this coming either... If you miss the stream, it looks like the transcripts at least are online.

In Congress this morning: “TSA Oversight Part I: Whole Body Imaging”

March 16, 2011 by Dissent

House Committee on Government Oversight & Reform, Subcommittee on National Security

Today, 9:30 am – 11:30 am, EST:

TSA Oversight Part I: Whole Body Imaging

The hearing will be streamed live at

Attention Founding Fathers! Watch how we turn this concept into a call for a bigger bureaucracy...

White House to Push Privacy Bill

March 15, 2011 by Dissent

Jennifer Valentino-DeVries And Emily Steel report:

The Obama administration plans to ask Congress Wednesday to pass a “privacy bill of rights” to protect Americans from intrusive data gathering, amid growing concern about the tracking and targeting of Internet users.

Lawrence E. Strickling, an assistant secretary of commerce, is expected to call for the legislation at a hearing of the Senate Commerce Committee, said a person familiar with the matter.

This person said the administration will back a law that follows the outlines of a report issued by the Commerce Department in December. The administration wants any new rules to be enforceable and will look to expand the Federal Trade Commission’s authority, this person said.

Read more on MarketWatch.

[The report:

Companies should

promote consumer privacy throughout their organizations and at every stage of the development of their products and services

simplify consumer choice

increase the transparency of their data practices


Browser Beware: Washington Weighs Online Consumer Privacy

March 15, 2011 by Dissent

Steven Gray reports:

For nearly a year starting in April 2007, Sears ran “My SHC Community,” an online feature that invited consumers to download software onto their computers that, according to the Federal Trade Commission, asked them to “journal your shopping and purchasing behavior.” The tracking software ran constantly, even when users left Sears’ website, and it collected an astonishing trove of information: details about bank accounts, medical prescriptions and library loans, as well as portions of e–mails and instant messages. Sears paid users $10 to join the community. But the only way you’d know about the scope of the data-mining was if you bothered to read deep into the fine print, all the way to the 75th line. Last June, the FTC declared Sears’ practice “deceptive” and ordered the data destroyed.

The Sears case may be indicative of a larger trend.

Read more in Time.

“It's for the children!” How else can we develop a database that accurately identifies all of our citizens whenever and wherever they they are?

Iris-Scan ID Cards For Children In Mexico

"Today the first ID cards that include iris and fingerprint biometric information were registered and issued in the Mexican state of Guanajuato. (Original article in Spanish.) The juicier part of the story is that for now, only children will be enrolled in this national biometric database. It is intended that by December 2012 all children in the country will be registered. The alleged purpose of the new ID card is to hinder the abduction of children and prevent child exploitation. [“Hey, don't kidnap that kid, he's been scanned!” Sure. Bob] The first ID cards are being issued in the same city that last year started implementing a mandatory iris scan for convicted felons and voluntary members of the public in a Minority Reportesque plan to combat delinquency that features iris readers in public transport and ATMs. This comes from the country that last year attempted and failed to create a national database of mobile phone users, again with the purported intention to tackle extortion and kidnappings."

(Related) It's for your own good! (and we think you're lying.) Of course, you can pay us to not test you...

AZ: County employees unhappy about saliva test

March 16, 2011 by Dissent

UPI reports:

An Arizona county is trying to get reliable data on whether its employees are smokers by testing saliva, a move some workers are resisting.

“They gotta do what they gotta do, but it is kind of an invasion of our privacy,” Dee Webber, a Maricopa County accounting employee and admitted smoker, told The Arizona Republic.

Maricopa County, which includes Phoenix and its suburbs, is not compelling employees to have their saliva tested — but those who do not, along with those who test positive for tobacco — will pay higher insurance premiums. [No pressure! Bob]

Read more on UPI.

Another Privacy “Oops” or a deliberate decision to ignore user preferences?

Google deceiving Android users on location sharing

March 15, 2011 by Dissent

Alexander Hanff writes:

Last summer I raised an issue with Google regarding location sharing on Android devices. Google give consumers the option of disabling location sharing on their new Android device during initial device setup (the first time you turn the device on) and the wording Google uses leads consumers to believe that is an end to it, but it isn’t.

When setting up my own HTC Desire, I of course chose to disable location sharing and it seemed to work. However, a couple of days later I was checking settings in the Android browser and discovered that despite opting out of location sharing, the Android browser still had location sharing enabled.

This infuriated me as I felt deceived, I raised the issue on Twitter and discovered many others had the same problem, many of them sharing location data through their browser settings for months, completely unaware that it was happening, they assumed that all location sharing was disabled when they selected the option during setup.

Read more on Alex’s Blog on Privacy International.

When the network turns anti-social...

Social Media Misbehavior by Jurors Afflicts Trial Process

March 16, 2011 by Dissent

Ken Strutin, director of legal information services at the New York State Defenders Association. writes:

Most people called to serve on grand or petit juries regularly use the internet to transact business, conduct research and carry out daily activities. And social media have become lifelines to networking with friends, families and co-workers. Unfortunately, a growing number of potential jurors have fallen prey to the lure of Tweeting or doing a Google search about the cases before them. This wrinkle in due process has challenged the courts and counsel to find new ways of uncovering online misconduct and preventing it in the future.

Read more from his New York Law Journal article on Law Technology News. Strutin really provides a nice description of the complexity of some of the issues involved in ensuring a fair trial while not infringing on juror’s rights. He also includes references to a number of specific cases in the courts, including the “Facebook Juror” case in California that has made headlines after a judge ordered Arturo Ramirez, now known as “Juror Number One” in court filings (or the “Facebook Juror” in the blogosphere) to consent to Facebook releasing his non-public messages to the court.

It's that time of year again. The IRS will encourage electronic filing and Computer Security geeks will have a good laugh... (Just a few tid-bits from the report)

GAO Report: “Information Security: IRS Needs to Enhance Internal Control over Financial Reporting and Taxpayer Data”

… Specifically, IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its financial systems and information. For example, the agency did not sufficiently (1) restrict users’ access to databases to only the access needed to perform their jobs; (2) secure the system it uses to support and manage its computer access request, approval, and review processes; (3) update database software residing on servers that support its general ledger system; and (4) enable certain auditing features on databases supporting several key systems. In addition, 65 of 88–about 74 percent–of previously reported weaknesses remain unresolved or unmitigated. An underlying reason for these weaknesses is that IRS has not yet fully implemented key components of its comprehensive information security program.

I wonder what they would need to block if we were at war?

US Military Blocks Websites To Free Up Bandwidth

"The US military has blocked access to a range of popular commercial websites in order to free up bandwidth for use in Japan recovery efforts, according to an e-mail obtained by CNN and confirmed by a spokesman for US Strategic Command. The sites — including YouTube, ESPN, Amazon, eBay and MTV — were chosen not because of the content but because their popularity among users of military computers account for significant bandwidth, according to Strategic Command spokesman Rodney Ellison. The block, instituted Monday, is intended 'to make sure bandwidth was available in Japan for military operations' as the United States helps in the aftermath of last week's deadly earthquake and tsunami, Ellison explained."

As far as I can see, this website reports how well (or poorly) they government handles FOIA requests, but none of the actual data is available.

March 15, 2011

DOJ Launches

"As the flagship initiative of the Department’s Open Government Plan, OIP [Office of Information Policy] is proud to announce the launch of FOIA.Gov, a comprehensive public resource for government-wide FOIA information and data. FOIA.Gov displays graphically a wealth of data on agency FOIA compliance, contains educational material about how the FOIA works, and contact information for all government agencies. OIP’s own website will always provide a link to FOIA.Gov on the right hand side of our site."

Haven't I been saying this for years? (Why yes Bob, you have.)

Cutting Prices Is the Only Way To Stop Piracy

"The only way to stop piracy is to cut prices. That's the verdict of a major new academic study that reckons copyright theft won't be halted by 'three strikes' broadband disconnections, increasing censorship or draconian new laws brought in under the anti-counterfeiting treaty ACTA. The Media Piracy Project, published last week by the Social Science Research Council, reports that illegal copying of movies, music, video games and software is 'better described as a global pricing problem' — and the only way to tackle it is for copyright holders to charge consumers less money for their wares."

Infographics are a quick way to communicate complex data.

10 Blogs For Stunning Infographic Collections

It's not that our students can't read, it's that they never seem to re-read what they write. Perhaps they will listen?

Convert Text To Speech For Free With Balabolka [Windows]

Tuesday, March 15, 2011

I can't wait for nation-wide electronic health records. I'm not certain this is “Cloud Computing” but IBM appears to be involved at some level.

Yet another Health Net breach raises disturbing questions

March 14, 2011 by admin

More is starting to come out about the Health Net breach involving missing server drives that we first learned of earlier today in a press release from CT’s Attorney General. His press release was followed by a press release from Health Net. Now a few more details have emerged:

Kathy Robertson of the Sacramento Business Journal reports that the breach may affect 1.9 million people and that:

The California Department of Managed Health, the regulatory agency that oversees HMOs, announced Monday it has launched an investigation into Health Net’s security practices.

The agency estimates records for more than 622,000 members in health plans regulated by the Dept. of Managed Health Care may have been compromised, as well as records for 223,000 members in products regulated by the Department of Insurance. Records for some Medicare beneficiaries also may be lost.

The Dept. of Managed Heatlh Care’s press release can be found on their site.

The fact that we’re getting our information from sources other than Health Net does not speak well for Health Net, in my opinion. Indeed, the fact that their press release references “several” drives while Attorney General Jepsen’s press release and California’s press release indicate nine drives suggests that Health Net officials haven’t gotten the message about transparency and may be trying to downplay the extent of the incident rather than controlling the story by getting the details out in their own statements. In addition to failing to be straightforward about the number of drives involved:

  • Health Net’s press release did not provide any numbers - even though they know they have to provide numbers to HHS that will be revealed publicly on HHS’s web site. As the Los Angeles Times reports:

Health Net would not say how many computer drives or people were affected. The managed health care department, citing Health Net as its source, said nine drives were missing, with information on 1.9 million current and former members.

  • Additionally, Health Net has not publicly revealed precisely when they first became aware of the unaccounted for drives and when those drives were last accounted for.

Of course, even though it is Health Net whose name is in the news for this breach, they really may be entitled to some empathy if the breach should turn out to be IBM’s responsibility as their IT vendor. But — assuming for now that these drives weren’t encrypted or they wouldn’t be reporting this breach and offering two years’ of credit protection services:

  • Why weren’t the drives encrypted? Even if it was IBM’s responsibility to encrypt the drives (and I’m not sure it was), Health Net should still have been auditing or checking its vendor’s compliance with any security protocols in the contract.

There is much more we need to learn about this breach. And hopefully, HHS will do a thorough investigation that considers Health Net’s past track record on losing devices with unencrypted PHI. A 2009 breach that occurred before the new HITECH reporting requirements went into effect resulted in fines and actions by both Connecticut and Vermont for late notification of both affected individuals and the states and failure to comply with HIPAA security requirements. Will HHS take any enforcement action against Health Net over this breach? Only a lot of time will tell.

[From the Health Net press release:

This investigation follows notification by IBM, Health Net’s vendor responsible for managing Health Net’s IT infrastructure, that it could not locate several server drives.

[From the Sacramento Business Journal:

Health Net Inc. has launched an investigation into a security breach at its Rancho Cordova data center... [Leading me to conclude that IBM was running their data center rather than hosting their data in the cloud. Bob]

Sounds like they never considered security when they set this up.

UK: University of York leaks private details of entire student body

March 14, 2011 by admin

The University of York’s student publication, Nouse, blows the whistle on a breach at the university involving exposure of student information:

On a student enquiry screening function enabled on the website, and open to the general public, the private details of any registered student were made freely accessible. This included all their personal details such as mobile numbers, home and term-time addresses, and date of birth.

In addition, particular concern was raised over the publication of the details of all students’ registered emergency contacts, including the disclosure of names, email addresses and mobile numbers. Most emergency contacts are close relatives or friends who do not attend the University themselves.

The search also disclosed the AS and A-Level results of all students, as well as their personal photo submitted for the University card.


The information has been available and accessible for over a week, though after being alerted of the security breach this morning, the University has since disabled the system

The details of 17,094 students, including all those in undergraduate, post-graduate and part-time study could be accessed via the University website, without the need to even enter a University login.

Read more on Nouse.

How easy it is to ignore the doomsayers.

Richard Stallman: Cell Phones Are 'Stalin's Dream'

"Cell phones are 'Stalin's dream,' says free software pioneer Richard Stallman, who refuses to own one. 'Cell phones are tools of Big Brother. I'm not going to carry a tracking device that records where I go all the time, and I'm not going to carry a surveillance device that can be turned on to eavesdrop.' Even the open source Android is dangerous because devices ship with proprietary executables, Stallman says in a wide-ranging interview on the state of the free software movement. Despite some progress, Stallman is still dismayed by 'The existence and use of non-free software [which] is a social problem. It's an evil. And our aim is a world without that problem.'"

Wow! Even more than the UK?

China's Largest City Will Double Its Surveillance Cameras to 510,000

Across the country, governments have installed more than seven million CCTV cameras, with another eight million expected by 2015; together, Beijing and Shanghai operate more than three million cameras. It’s hard to compare these figures with American cities, where a fair number of surveillance cameras are privately owned and where no reliable records are kept. A 2005 survey of Lower Manhattan by the New York Civil Liberties Union found 4,176 cameras below 14th Street, an area about one-sixth the size of the island (Greenwich Village and SoHo were the most surveilled areas, with a rate of three cameras per acre, or one for every 84 residents).

Doomed to failure? Don Quixote lives?

TSA protester files lawsuit against Richmond Intl Airport and TSA

March 15, 2011 by Dissent

Remember the young man who stripped down to his underwear to protest TSA’s invasive security screening procedures? Pictures of him with the text of the Fourth Amendment painted on his chest got national attention at the time, and although he was charged with disorderly conduct, the charges were later dismissed. Well, they may have dismissed their charges against him, but he still has something to say about them, and he’s saying it in court. Frank Green reports in the Richmond Times-Dispatch:

A Charlottesville man arrested last year for taking his clothes off at a security checkpoint at Richmond International Airport has filed a lawsuit against the airport and federal officials.

In a complaint filed in U.S. District Court in Richmond on Thursday, Aaron B. Tobey, 21, alleges that the U.S. Department of Homeland Security, the Transportation Security Administration and airport officials violated his constitutional rights.

Read more in the Richmond Times-Dispatch.

(Related) Another wasted effort?

NH bill aimed at TSA screeners survives vote in committee

March 14, 2011 by Dissent

Garry Rayno reports that what is mostly a symbolic gesture has survived a committee vote:

A bill that would allow federal transportation security agents to be charged with sexual assault may help draw attention to problems with enhanced security screenings at airports, backers say.

The House Criminal Justice and Public Safety Committee Thursday voted 14-3 to retain the bill after voting down an attempt to kill it, 13-4.


USAID is attempting to overthrow the government in Cuba? No wonder third-world countries are suspicious.

Internet-Spreading American Gets 15-Year Sentence In Cuba

"American social worker Alan Phillip Gross, who has spent years connecting developing countries to the internet, has been sentenced by a 'Security Court' in Cuba to 15 years in prison. His crime: 'Acts against the Independence and Territorial Integrity of the State.' The Cuban government also claimed he was trying to 'destroy the Revolution through the use of communication systems out of the control of authorities.'"

[From the WSJ article:

Alan Gross, 61, worked as a contractor for a USAID program that secretly provided technology like computers and communications equipment to encourage democratic reforms.


Activists Want State Dept. to Control Dissent-Tech Cash

The State Department gets its share of criticism for how it oversees millions of dollars in grants for keeping the internet open to dissidents. But a group of activists wants to make sure that Foggy Bottom keeps control of cash that some in Congress think could be better spent by the United States’ foreign broadcasting arm.

In a letter sent to Capitol Hill on Monday, activists warned that moving the funding for the Obama administration’s Internet Freedom Agenda to the Broadcasting Board of Governors, which oversees pro-American radio, TV and internet programming abroad, would undermine the goal of a “free and open internet.” The letter even has its very own Tumblr.

Last month, just as Secretary of State Hillary Rodham Clinton unveiled a $25 million “venture capital approach” to fund the development of new circumvention and anonymity tools for online activists, Sen. Richard Lugar issued a report questioning State’s inability to disburse millions left over from previous efforts — just before internet-enabled activists essentially recast the Middle East.

Adding a “Do not track” flag still requires the tracking organization to honor the request.

Microsoft Adds Do-Not-Track Tool to Browser

March 14, 2011 by Dissent

Nick Wingfield and Julia Angwin report:

A new version of Microsoft Corp.’s Internet Explorer to be released Tuesday will be the first major Web browser to include a do-not-track tool that helps people keep their online habits from being monitored.

Microsoft’s decision to include the tool in Internet Explorer 9 means Google Inc. and Apple Inc. are the only big providers of browsers that haven’t yet declared their support for a do-no-track system in their products. In January, Mozilla Corp. said it would include a do-not-track feature in an upcoming version of its Firefox browser. Internet Explorer is the most widely used browser.

Read more in the Wall Street Journal.

We don't have a graduate Data Analysis concentration. Perhaps we should?

DHS Chief Wants Better Algorithms For Analyzing Intelligence Data

"Better algorithms to spot patterns and trends within the mass of information the Department of Homeland Security sees everyday are key to national security. That was but one of the talking points DHS chief Janet Napolitano focused on in a lecture on the role of science and technology at the Massachusetts Institute of Technology today. 'DHS is part of the nation's Intelligence Community, which receives more terabytes of data each day than the entire text holdings of the Library of Congress. The National Counterterrorism Center's 24-hour Operations Center receives 8,000 to 10,000 pieces of counterterrorist information every day. We receive data about all of this, and it is clearly too much to suggest that the simplistic "connect the dots" analogy accurately represents what an analyst must do. Very quickly, you can see that "Big Data" – more so than the lack of data – becomes the most pressing problem. At the same time, the threats implicated by the data are not static.'"

(Related) Won't they just move?

MA: Rep. Lewis Files Legislation to Protect Privacy and Personal Data

March 15, 2011 by Dissent

Laura Richter writes:

State Representative Jason Lewis has filed legislation to protect Massachusetts residents’ privacy, personal data, and First Amendment rights in the context of government data collection. The bill would prohibit law enforcement from collecting information about individuals’ political and religious views, associations, or activities without reasonable suspicion of criminal conduct.

The bill, known as An Act to Protect Privacy and Personal Data, has been introduced to provide important safeguards in response to the proliferation of massive data-banking operations, funded by the federal government, that collect and store a vast array of information about ordinary Americans. Two of these so-called “fusion centers” are located in Massachusetts. The U.S. Department of Homeland Security has explicitly stated that it is up to individual states to provide appropriate privacy protections for these operations.

Read more on The bill is H01336.

The ACLU of Massachusetts is supporting the bill.

How can you protect yourself from risks you don't know exist.

Former NSA, CIA Chief: Declassify Cyber Vulnerabilities

The former head of America’s most powerful and secretive intelligence agencies thinks the U.S. government classifies too much information on cybersecurity vulnerabilities.

“Let me be clear: This stuff is overprotected,” writes retired four-star Gen. Michael Hayden, in the new issue of the Air Force’s Strategic Studies Quarterly. “It is far easier to learn about physical threats from U.S. government agencies than to learn about cyberthreats.”

… The statement is part of Hayden’s introduction to the spring edition of Strategic Studies Quarterly, which explores the strategic issues of cyberwar.

For my Computer Security students

The Life of a Cybercrime Investigator

"Steve Santorelli gets computing experts and law enforcers to cooperate in a global fight against organized Internet crime. This article talks about the role of law enforcement in identifying and battling online threats as they change and evolve. Quoting: 'The common wisdom about hacking and cybercrime is, in Santorelli's view, severely out of date. He says cybercriminals aren’t lone wolves; they are financed and directed by international criminal syndicates. ... Organized crime also has vast resources derived from its traditional operations to finance the hiring of quality hackers around the world. There is even evidence that some syndicates are investing in research and development, looking to create proprietary, next-generation hacking tools, Santorelli says.'"

Of course, I never tell the truth so I have no worries...

Blogger Fined $60K For Telling the Truth

"'Johnny Northside,' a Minneapolis blogger with less than 500 readers a day, revealed that a University of Minnesota researcher studying mortgage fraud had been involved in a fraudulent mortgage himself; the blog post was at least partially responsible for the researcher losing his job. The researcher then sued the blogger and won — despite the blogger having his facts straight. Johnny Northside plans to appeal the verdict."

Build that Techie Toolkit.

Windows Users: Here Is Why You Need A Linux Live CD

(Related) A “must have” for Computer Forensic students

What A Hex Editor Is & Why You Might Use It [Technology Explained]