Saturday, April 30, 2011

I'd like to believe this is evidence of a trend: governments not satisfied with vague statements like “We suffered an intrusion...” Should a full “Autopsy” be provided to the government as part of the mandator breach reporting?

Taipei demands answers from Sony, threatens fines

April 29, 2011 by admin

Ralph Jennings reports:

The city of Taipei is demanding that Sony provide details about any leak of PlayStation Network user data following an intrusion last week or face fines.

As pressure mounts internationally against Sony over the failure of its PlayStation Network online gaming service, the Taiwan capital’s Law and Regulation Commission said late on Thursday it had sent the Japanese company a letter asking it to explain the incident “from start to finish” and any proposed follow-up measures.

The letter was sent on Wednesday and gives Sony 10 days to respond. If it fails to reply in time, it would be fined between NT$30,000 (US$1044) and NT$300,000 for alleged breaches of local consumer protection laws, the commission said in a statement.

Read more on PCWorld.


House members grill Sony on data breach

Rep. Mary Bono Mack (R-Calif.), chair of the Energy and Commerce Trade subcommittee, and ranking member Rep. G.K. Butterfield (D-NC), wrote to the company with a 13 questions about the incident.

They said it would help inform the subcommittee's work on data protection. Bono Mack is preparing data protection legislation and will hold a hearing next week on the Sony breach.

… They also asked why Sony can't rule out the possibility that credit card numbers were obtained. "Please explain…why you cannot determine if the data was in fact taken," the lawmakers said.

[The letter:

For my Computer Security students, who weren't quite sure what a “land line” phone was...

The Rise Of Smartphone Snooping & How To Check For It

Snooping on computers has been a problem for decades. The so-called Trojan Horse, malware that gives a hacker access to a PC without the owner’s permission, has been around since the 80′s. Keyloggers are another area of concern, and have been given some attention in the popular media from time to time. But whatever you call it, snooping on a PC is an accepted risk, and one users often look out for.

But what about your smartphone? Modern devices are essentially tiny PCs that also make phone calls, and the potential negative effects of Smartphone snooping could be much worse. Smartphones transmit location data and store lists of everyone you know, along with their phone numbers. Obviously, this information shouldn’t be in the wrong hands, but what can you do to prevent Smartphone snooping?

NOW do you see how much fun it is to write Acceptable Use policies?

Ninth Circuit Holds That Violating Any Employer Restriction on Computer Use “Exceeds Authorized Access” (Making It a Federal Crime)

April 29, 2011 by Dissent

Orin Kerr writes:

I had though the world was safe from the nuttiness of the Justice Department’s broad theories of the Computer Fraud and Abuse Act in the Lori Drew case. Not so. Readers may recall I once blogged about a similar case, United States v. Nosal, that raised similar issues in the context of an employee who breached his employer’s written restrictions on computer use. What I didn’t realize is that DOJ appealed a district court’s order in Nosal and brought the issue to the Ninth Circuit.

In a divided opinion today by Judge Trott, joined by Judge O’Scannlain, United States v. Nosal, the Ninth Circuit held that “an employee ‘exceeds authorized access’ under § 1030 when he or she violates the employer’s computer access restrictions — including use restrictions.”

Read more on The Volokh Conspiracy.

The Internet of Things. RFID is too cheap not to track everything.

Hotel Tracks Towels With RFID Chips

"An unnamed hotel is now putting RFID tags in their towels: 'The Honolulu hotel (the hotels have asked to remain anonymous, just to keep you guessing) says it was taking a bath to the tune of 4,000 pool towels per month, a number that it has reduced to just 750 (a savings of $16,000 per month). And that's just at the pool.' It's unclear what they do if the towel flies to the Midwest."

[From the article:

Three hotels in Honolulu, Miami, and NYC have employed a new kind of washable RFID tag to keep you from stealing their towels, linens, and plush terrycloth bathrobes.

Friday, April 29, 2011

Very interesting to me how many of my students wrote their weekly paper on this incident. With the price for stolen card numbers so low, you need 77 million cards to make a hack like this worth while...

Stolen info from PlayStation hack reportedly up for sale

April 29, 2011 by admin

While Sony has been assuring everyone that users’ credit card numbers were encrypted, other reports continue to suggest otherwise (including this chat log that has garnered a lot of attention). Now Asher Moses reports:

Personal information and credit card numbers stolen from Sony’s PlayStation Network in one of the world’s largest privacy breaches are reportedly being offered for sale on underground internet forums.

Police and banks have said they have yet to discover a case of an Australian being defrauded as a result of the Sony breach, however, it has been less than two weeks since the attack and potential victims are being warned that they will have to be on their toes for some time to come.

Kevin Stevens, senior threat researcher at the security firm Trend Micro, was one of several experts who told The New York Times that he had seen talk of the hacked database on several hacker forums.

The researchers said the attackers were hoping to sell a database that included Sony customer names, addresses, usernames, passwords and millions of credit card numbers.

The credit card list alone was listed for upwards of $100,000 [If true, that's 770 credit cards for $1 or $0.0013 per card. Bob] and the hacker had allegedly offered to sell the database to Sony, however, did not receive a response.

Read more in The Age.

(Related) It's one thing to have a security failure. It's quite another to have many failures...

Sony's missteps through the years

Rootkit Scandal

Sony got into trouble in November 2005 when it was discovered that the company used a rootkit on music CDs to limit the number of copies a person could make of the CD and to prevent making MP3 files from the music.

Faulty Lithium-ion batteries

In the summer of 2006, reports of laptops smoking or bursting into flames began to crop up. Turns out a pretty big batch of Sony's lithium-ion batteries, which all the flaming laptops were using, were defective. The problem came to light when Dell was forced to recall more than 4 million laptop batteries made by Sony. Eventually Apple issued a recall for 1.8 million notebook batteries, as did Gateway (now part of Acer), Toshiba, Lenovo, Fujitsu, and obviously Sony itself.

This happened at roughly the same time as the Sony breach, but didn't cause millions of kids to go whining to their parents...

Amazon EC2 Crash Caused Data Loss

"Henry Blodget is reporting that the recent EC2 crash caused permanent data loss. Apparently, the backups that were being made were not sufficient to recover the lost data. [I wonder if they had ever been tested? Bob] Although a small percentage of the total data was lost, any data loss can be bad to a Website operator."

Another example of security failures being immediately recognizable after the breach...

DSLReports says member information stolen

Subscribers to ISP news and review site have been notified that their e-mail addresses and passwords may have been exposed during an attack on the Web site earlier this week.

The site was targeted in an SQL injection attack yesterday and about 8 percent of the subscribers' e-mail addresses and passwords were stolen, Justin Beech, founder of, wrote in an e-mail to members. That would be about 8,000 random accounts of the 9,000 active and 90,000 old or inactive accounts created during the site's 10-year history, Beech said in an e-mail to CNET today.

"The data was taken on Wednesday afternoon, recognized and blocked at 7 p.m., [Beats not even noticing for a week... Bob] and by Wednesday evening all the active accounts received e-mail notifications advising them to change their password if they share it with that e-mail address and all passwords were changed at that time," he wrote.

… "Obviously having both an SQL injection attack hole (now closed) and plain text passwords is a big black eye, and I'll be addressing these problems as fast, but as carefully, as I can," Beech wrote.

When you have no clue, hold hearings?

Wireless carriers reveal location privacy policies

April 28, 2011 by Dissent

Cecilia Kang reports:

The nation’s top wireless carriers say they all collect personal information, including location data, about subscribers and use much of that information to tailor marketing pitches for more services.

In letters responding to lawmakers’ questions, they described varied policies on protecting data and how long they retain location and other sensitive information such as a user’s name, Social Security number, and address.

Read more in the Washington Post.

[From the article:

“The use of encryption and related security technologies were utilized to varying degrees across the four wireless carriers, and sensitive data was retained for differing periods of time,” Markey said

(Related) Somehow, I don't think this will resolve all our concerns...

Verizon Plans To Put Location-Tracking Warning Sticker on Phones

April 28, 2011 by Dissent

Kashmir Hill writes:

Though Apple and Google have become the whipping boys for location privacy, both companies have said that the data sent back to them about phone users’ movements is anonymized and not traceable to individuals. That is not the case with carriers: Verizon, Sprint, AT&T and T-Mobile do have extensive logs of people’s movements, as made clear in letters to Congress made public today by privacy hounds Congressmen Joe Barton and Ed Markey.

Read more on Forbes.

We're not sure what Cloud Computing is, but it sounds so cool we want everyone to use it.” The $2.5 Billion figure also explains why Microsoft and Google are each claiming the other is “not certified”

April 28, 2011

GSA Plans RFP for $2.5 Billion in Cloud Computing to Support IT Reform Plan

Jason Miller, Executive Editor, Federal News Radio: "The General Services Administration is about to give the Obama administration's policy that requires agencies to use cloud computing a big boost. GSA plans on releasing a request for proposals May 10 for e-mail-as-a-service that could be worth $2.5 billion. Vivek Kundra, the federal chief information officer, said Wednesday there are $20 billion in systems across the government that could move to the cloud, and email and collaboration software are among the easiest first steps. We already are seeing 15 agencies that have identified 950,000 e-mail boxes across 100 email systems that are going to move to the cloud," he said during an update on the administration's 25-point IT reform plan at the White House. "This represents a huge opportunity for [vendors] to aggressively compete for these new opportunities in the cloud space and provide the government with the best value and most innovative technologies." Among those 15 agencies already on their way are the Agriculture Department and GSA. USDA is moving 120,000 employees to Microsoft's cloud, while GSA picked Unisys, which partnered with Google, to move as many as 30,000 employees to a new email system."

For my Computer Forensics students

Nikon's Image Authentication Insecure

"Elcomsoft claims to have broken Nikon's Image Authentication system which — apparently only in theory — ensures that a photograph is authentic and not tampered with through a digital signature. They were able to extract the signing key from a camera and use it to have a modified image pass the software verification, rendering the rather expensive feature mostly marketed to law enforcement all but useless. So far Nikon has not given a statement. Canon's competing system was cracked by the same company last December."

Record labels sue individuals, but negotiate with big players. Interesting to see their concerns spelled out... Can we view this as a guide to future litigation?

Behind The Scenes: Record Label Demands From Amazon

Amazon defied the record labels by launching an unlicensed personal cloud music service. (Disclosure: I’m CEO of competitor MP3tunes.) Music companies immediately expressed their dissatisfaction and Amazon public stated they would discuss licenses with labels.

… Dominating the discussions is the labels concern that personal cloud services will exacerbate piracy and erode their business even further. Consequently they want to impose substantial restrictions on any such service, but each labels has different concerns and demands. Below are examples of the startling limitations major labels wish to impose on such services.

Universal Music Group is concerned that users will load pirated songs into lockers. Average MP3 players house more than a thousand songs and UMG believes that many were unpaid for. They do not want to see the billions of songs that came from P2P system laundered (think drug money) in a cloud service and become legitimate.

All songs without a proof of purchase would be assumed to be unauthorized and not accepted into the system.

… Sony Music Group shares UMGs concern about the laundering of songs, but seems more concerned about locker sharing and downloads and is demanding restrictions in those areas. Sony believes users will share lockers by visiting each others houses and syncing in each others music. To combat this Sony wants loading to happen from only one computer. [Replace your computer, lose everything? Bob]

… Downloading is another area of concern for Sony. To prevent lockers from become Napster like repositories they want to restrict downloading to one emergency download only.

… Most worrisome to Warner Music Group is that users may setup multiple lockers and the distribute the extra lockers to friends. Imagine if a locker owner setup a locker at Apple and Amazon and then gave their less used locker away or maybe even sold it. What WMG would like to see happen is that a central locker authority would administer all locker assignments.

… In addition to usage restrictions, labels are demanding that cloud services pay them an annual per user fee. Labels will demand a minimum per user fee each year and not the more business friendly percentage model. Such a flat fee will mean no free or advertising sponsored service will be possible. For subscriptions services such as Rhapsody and MOG they demand the HIGHER of: per user fee, percentage of revenues or per stream fee effectively boxing in services and insuring they’re never able to turn a profit..

Now you can be even MORE social... (I'll wait until I can hack myself a beer)

Pepsi Creates a Social Network Vending Machine

"Now even vending machines are getting in on the social media act. Pepsi has rolled out a new machine that can send a soda to a friend, using a Facebook-like functionality. From the article: 'Along with buying a soda with either cash or credit, the Social Vending System allows people to send a user a soda as a gift. All they have to do is enter the recipient's name, mobile number and a personalized text message. Consumers can even send a video along with the gift. Once received, the recipient will learn where they can redeem it.'"

I mentioned this yesterday. Here is the video.

Mike Matas: A next-generation digital book

Thursday, April 28, 2011

Of course. Just because the Japanese have more US dollars and make most of our cars does not mean they understand American law or culture.

Sony sued for PlayStation Network data breach

Like clockwork, the first lawsuit resulting from the security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed.

The suit was filed today on behalf of Kristopher Johns, 36, of Birmingham, Ala., in the U.S. District Court for the Northern District of California. Johns accuses Sony of not taking "reasonable care to protect, encrypt, and secure the private and sensitive data of its users."

He also believes Sony took too long to notify him and other customers that their personal information had been exposed. Because of that, the complaint alleges, Sony did not allow its customers "to make an informed decision as to whether to change credit card numbers, close the exposed accounts, check their credit reports, or take other mitigating actions."

The lawsuit is asking for monetary compensation and free credit card monitoring, and is seeking class action status.


Are fraud reports related to Sony breach?

Reports are trickling out from Sony PlayStation Network users about recent fraudulent charges on the credit cards they used for the PlayStation service. But it can't be substantiated at this time whether the fraud is a result of the data breach at Sony, and the timing of the reports could be coincidental.

… The company has not said how the breach happened and says there is "no evidence" that credit card information was compromised, but it advised customers to monitor their credit cards for erroneous charges anyway. [Not exactly the same as “We have evidence that credit card information was not taken...” In fact, this could be interpreted as, “We have no evidence at all.” Bob]

Update 5:28 p.m. PT: Sony released an FAQ blog post today that said credit card data was encrypted and separate from the other data, which was not encrypted but was "behind a very sophisticated security system that was breached in a malicious attack."

Another “Oops!” Think of it as an error on the back office players.

Yankees Accidentally Leak Personal Info Of 20,000 Season Ticket Holders

April 28, 2011 by admin

Barry Petchesky writes:

The New York Yankees accidentally distributed a file containing information on more than 20,000 season ticket accounts. The spreadsheet contains account numbers, names, addresses, phone numbers, and email addresses, and was mistakenly sent to thousands of current clients.

Precisely 21,466 season ticket plans are listed in the document, representing all of the “non-premium” seats that make up the vast majority of Yankee Stadium, excluding only the suites and the first few rows in the infield.

Read more on DeadSpin, where you can also read the email the Yankees sent all ticket-holders.

Less impactive than a Class Action suit, but still something to be avoided.

TX: Comptroller heads to court after security breach

April 27, 2011 by admin

John A. Salazar reports:

The Texas Comptroller faces her first legal hurdle after a year-long privacy breach resulted in the online exposure of 3.5 million Texans’ private information.

The Texas Civil Rights Project and Austin attorney Jim Harrington filed a petition against Comptroller Susan Combs in District Court.

The petition asks for Combs to go on record and answer 14 specific questions about how the privacy breach could have happened. Even if all 14 questions are answered, attorneys who filed the petition have little faith Combs can make matters better.

Read more on YNN.

[From the article:

"It's a question of incompetence on the part of the comptroller, clearly,” Harrington said. “But it's also a question of how do you undo this terrible breach of privacy that occurred."

Interesting. You have to reveal your UserID and passwords...

Greplin: 1.5 Billion Documents Indexed, Six Engineers

Late last year we first mentioned Y Combinator startup Greplin – it’s a startup that indexes your social stuff in the cloud, making all your Facebook, Gmail. LinkedIn, Google Calendar, Evernote, Twitter, Dropbox and just about everything else searchable. The easiest way to describe it is “the other half of search.”

They opened their doors to customers in February. The company won’t talk about total user numbers yet, which isn’t surprising. But we have dug one interesting data point out of founder Daniel Gross – They’ve now indexed some 1.5 billion documents. And they’re indexing about 30 million new documents per day.

What this means – when you join Greplin you authorize it to index various social apps and services. A typical user may sign up and start off by authorizing Greplin to index Facebook, Twitter and Gmail, for example. Greplin then grabs everything in those services – all your Facebook messages and updates, all your Twitter updates and DMs, all your Gmail messages back and forth, etc. , and lets you search them. When you add up all those documents for all users, you get to that big number, 1.5 billion.

To put this into perspective, that’s about the size of Google’s web-wide index in 2001. Or 60 times the size of Google’s original 1998 index of 25 million documents.

On the daily side, Greplin’s 30 million new documents a day is about 25% of Twitter’s current load (and Twitter gets off easy with 140 character documents). It’s not an apples to apples comparison, but it gives you some idea of the scale that they’re already reaching. And remember, they launched in February.

Yesterday it was DHS. Today the FBI. Maybe we need to hire some 8-year-olds? (What do you bet the FBI uses this to justify requests for a massive budget increase?)

Report Critical of FBI Cybercrime-Fighting Ability

"Despite a push to bulk up its security expertise, the FBI in some case lacks the skills to properly investigate national security intrusions. That was one of the major conclusions found in the U.S. Department of Justice inspector general audit of the FBI's ability to address national security cyberthreats today. The DOJ looked at 10 of the 56 FBI field offices and interviewed 36 agents. Of those interviewed, 13 'lacked the networking and counterintelligence expertise to investigate national security intrusion cases.'"

(Related) If you got a letter from the DOJ or FBI (surely they won't be knocking on your door...) would you feel comfortable refusing their “request?”

Feds To Remotely Uninstall Bot From Some PCs

"Federal authorities will remotely uninstall the Coreflood botnet Trojan from some infected Windows PCs over the next four weeks. Coreflood will be removed from infected computers only when the owners have been identified by the DOJ and they have submitted an authorization form to the FBI. The DOJ's plan to uninstall Coreflood is the latest step in a coordinated campaign to cripple the botnet, which controls more than 2 million compromised computers. The remote wipe move will require consent, and the action does does come with warnings from the court that provided the injunction against the botnet, however. 'While the 'uninstall' command has been tested by the FBI and appears to work, it is nevertheless possible that the execution of the 'uninstall' command may produce unanticipated consequences, including damage to the infected computers,' the authorization form reads. FBI Special Agent Briana Neumiller said, 'The process does not affect any user files on an infected computer, nor does it ... access any data on the infected computer.' The DOJ and FBI did not say how many machines it has identified as candidates for its uninstall strategy, but told the judge that FBI field offices would be notifying affected people, companies and organizations."

(Related) Okay, perhaps the US isn't the only country with Computer Security “issues”

Does China's Cyber Offense Obscure Woeful Defense?

"The official line in Washington D.C. is that there's a new Cold War brewing, with an ascendant China in the place of the old Soviet Union, and cyberspace as the new theater of war. But work done by an independent security researcher suggests that the Chinese government is woefully unprepared to fend off cyber attacks on its own infrastructure."

The apparent strategy is: Do whatever brings in a bunk, then say “Oops!” Why not go the extra step and replace Speed Cameras with constant speed monitoring?

TomTom apologies for giving customer driving data to cops

April 27, 2011 by Dissent

Dan Goodin reports:

Navigation device maker TomTom has apologized for supplying driving data collected from customers to police to use in catching speeding motorists.

The data, including historical speed, has been sold to local and regional governments in the Netherlands to help police set speed traps, Dutch newspaper AD reported here, with a Google translation here. As more smartphones offer GPS navigation service, TomTom has been forced to compensate for declining profit by increasing sales in other areas, including the selling of traffic data.

Read more in The Register.

(Related) Apple realized they don't need to store a year's worth of location data on your phone, since your phone sends them the data every few minutes. OR perhaps they overdo it so they can look good by removing the “Bug?”

Apple Promises Fix for Location-Gathering ‘Bug’ on iPhone

Is this an indication that the rules may change?

Israels’ National Labour Court severely restricts monitoring of employee email accounts

April 27, 2011 by Dissent

In a 91-page opinion the National Labour Court recently laid down a clear set of rules regarding an employer’s right to monitor its employees’ email messages and other employee uses of workplace IT systems.(1) The rules impose severe restrictions on employers’ rights, subsequently calling for employers to consider modification and reform of their employee privacy policies.

Read more about the decision on International Law Office.

[From the article:

An employer may monitor the traffic data and contents of professional purpose accounts only if it makes its employees aware of the email monitoring policy. However, if an employee uses the mailbox for personal email exchange, even if in violation of the corporate policy, the employer may access the personal messages in that account only subject to the employee's explicit, informative and freely given consent, and only if the contents of such personal messages are unlawful or abusive to the company. [I can't see this rule being adopted int eh US. If you see a crime you have to get permission of the criminal to collect the evidence? Bob]

Another “alternative” to printed books...

Gore, Ex-Apple Engineers Team Up to Blow Up the Book

… Developed by former Apple employees Mike Matas and Kimon Tsinteris, Push Pop Press will be a publishing platform for authors, publishers and artists to turn their books into interactive iPad or iPhone apps — no programming skills required.

The app is the richest form of storytelling,” [Really? Bob] Matas said. Push Pop Press “opens doors to telling a story with more photos, more videos and interactions.”

… Not impressed with words alone? Check out Gore’s tour of his book produced with Push Pop Press, embedded in the video below.

The former vice president approached Mathas in September 2009 to create an app version of his book Our Choice: A Plan to Solve the Climate Crisis. Gore wanted the book app to contain videos, diagrams and other forms of multimedia that would flex the iPhone’s muscle. [Fishing for another Oscar? Bob]

Wednesday, April 27, 2011

Sony screws up again?

Gamers' details stolen in Sony security breach

UP TO a million Australian members of an online game and movie network have become embroiled in one of the world's largest privacy breaches.

An ''illegal and unauthorised person'' stole personal details including addresses and potentially credit card details belonging to 77 million people who have accounts on Sony Electronics's PlayStation Network.

Sony made the announcement yesterday on an American website.

… The PlayStation Network, where users can play video games and buy movies to stream online, was disabled six days ago yet account holders were only made aware of the breach when Sony notified the media yesterday.

The ''scope of the breach'' only became apparent on Tuesday after four days of investigation by an external security firm. [So Sony didn't bother to look or didn't know how... Interesting. Bob] The spokesman said emails had been sent to users, however no account holders spoken to yesterday had been contacted by Sony.

Tools for ubiquitous security are becoming more common and much cheaper (free is good)

Viewdle Releases SocialCamera For Android: Instant Photo Tagging, Sharing

Visual analysis company Viewdle this morning launched an Android app called SocialCamera that allows users to instantly tag photos, add captions and share them on Flickr or Facebook, by email or MMS. The demo video below explains how the app works in more detail.

The Android application, which is still in beta and not to be confused with Justin.TV’s Socialcam app, is free of charge and should be available through Android Market today.

The first time you use the app, you’ll notice you’ll have to identify your Facebook friends. After that, however, the app will be able to detect and tag persons automatically, which is of course far more appealing an offer.

[From the website:

As you take photos, SocialCamera will create a faceprint of your friends, so you can automatically match their social contact info to their picture – your camera will know who to send your photos to.

For my Computer Security students. A talk by a Security Philosopher. Feeling Secure v. Being Secure

Bruce Schneier: The security mirage

The feeling of security and the reality of security don't always match, says computer-security expert Bruce Schneier. At TEDxPSU, he explains why we spend billions addressing news story risks, like the "security theater" now playing at your local airport, while neglecting more probable risks -- and how we can break this pattern.

...and what I learned from this article: DHS isn't ready for this.

DHS chief: What we learned from Stuxnet

… Although nobody knows who created Stuxnet, many believe that it opened a new chapter in the annals of cybersecurity: the first worm written to destroy factory control systems. On Monday, Iran said it had been hit with a second worm, called Stars,, but security experts aren't sure that it really falls into the same class as Stuxnet.

… Stuxnet was a watershed event, according to Napolitano.

When Stuxnet hit, the U.S. Deparment of Homeland security was sent scrambling to analyze the threat. Systems had to be flown in from Germany [What “systems?” Surely they could have sent software over the Internet securely – are they talking about Sieman's controllers? Might make us feel better to be a bit more specific. Bob] to the federal government's Idaho National Laboratory. In short order the worm was decoded, but for some time, many companies that owned Siemens equipment were left wondering what, if any measures, they should take to protect themselves from the new worm.

… With Stuxnet, neither Siemens nor DHS itself were the ones to explain that the worm was actually built to target [Now that is scary... Bob] -- and then destroy -- a particular industrial facility. That work was done by security researchers at Symantec, Kaspersky Lab, and -- most notably -- by security expert, Ralph Langner

Push back... “We don't want to be held to the same standard imposed on Google!”

April 26, 2011

PC World: A trade group raises concerns about the FTC settlement with Google over Buzz

A trade group raises concerns about the FTC settlement with Google over Buzz, by Grant Gross

  • "The U.S. Federal Trade Commission's proposed settlement with Google over its bungled launch of the Buzz social-networking service could have disastrous effects on the rest of the e-commerce industry, the head of a trade group said. Privacy groups and some FTC officials are pressing to set the Buzz settlement as an online privacy standard. And one provision of the proposed settlement would be a "real killer" for the rest of the e-commerce industry, said Steve DelBianco, executive director of trade group NetChoice. The proposed settlement, with public comments due next Monday, requires Google to get "express affirmative consent" from its users for "any new or additional sharing" of personal information with third parties if the new sharing is a change in Google's practices. This provision, if it becomes an industry standard enforced by the FTC, would require all online businesses to get opt-in permission from customers for minor changes in the way they share information with partners or other businesses, DelBianco said. Opt-in requirements would make it difficult for social-networking and online content sites to roll out new innovations and pay for their free services, he said. The calls for the settlement to become a privacy standard "can't be allowed to produce side effects for the rest of the industry for something Google did inappropriately," DelBianco said. "If the FTC gets its way and imposes the Google settlement on the entire industry, Google's competitors have to obtain express, affirmative consent before releasing any new features that would just share non-sensitive user data with third-party apps and advertisers."

That's a firm “We don't know...”,2817,2384338,00.asp

Infographic: Does Facebook Make You a Better Student?

Tuesday, April 26, 2011

“It's for the children!” Justifying ubiquitous surveillance...

Kibot the robot entertains kids, spies on them

Korean children, already fast becoming a robot-friendly lot, have a new companion in Kibot, a monkey-faced bot that can read fairy tales, sing songs, take pictures, and make video calls via a display embedded in its tummy.

Wireless operator KT Telecom started delivering the multitasking monkey today for 485,000 won ($447), plus wireless packages that can be purchased in 12- or 14-month installments.

… Kibot (short for "kid's robot") isn't just for kids, however. Parents can also remotely control the 8-inch-tall wheeled robot via mobile phone and, using Wi-Fi, monitor their children (a feature that made Stella a tad apprehensive).

"If I was sleeping, it wouldn't be that comfortable if I knew someone was watching me," she said. "It would be freaky."

...another indication that SciFi does (sometimes) predict the future.

Welcome to the age of data: Watch your back!

This week's iPhone location tracking scandal is just the latest glaring spotlight on how much of your personal information is gushing out the door, whether unprotected on your own devices and ripe for the picking, or into corporate and botnet servers worldwide. And despite reports of a Steve Jobs e-mail declaring that Apple doesn't track anyone, Apple's general counsel told a congressional inquiry in June 2010 that "(t)o provide the high-quality products and services that its customers demand, Apple must have access to the comprehensive location-based information."

… The new cost of "free"

Personal information is the currency of the post-technological age, and the cost of "free" has never been higher. Your data, on an increasingly minute and personal level, powers every Web or network-based company, from start-up to monolith.

… But pity poor Google, which must gather all this information by increasingly intrusive means, like the DoubleClick ad cookie that tracks your browsing all across the Web, surreptitious Wi-Fi sniffing, and sending location information about you back to its data centers even when you're not running location apps.

On the other side of the aisle lies Facebook, which has cleverly cajoled 500 million users (and growing) into giving up virtually all the same information for free. Profiles, Places, Deals, and of course, the ever-present Like button, which lets you easily record your preferences for everything from opinions to shoes to celebrities and can almost imagine Facebook whispering a little "thank you" every time you click that little blue button.

Want to understand why Google is so desperate to get into social that it's tied part of every employee's bonus to the success or failure of that strategy in 2011? It has nothing to do with helping you share your photos and restaurant check-ins, and everything to do with data collection--and data connections.

Not all Clouds are fluffy?

Cloud development: 9 gotchas to know before you jump in

(Related) Another cautionary tale.

Top Ten e-Discovery Issues by Judge Andrew Peck and David Lender

United States Magistrate Judge Andrew J. Peck for the S.D.N.Y., and practicing attorney, David J. Lender, have written a Top Ten list of e-discovery issues that is worthy of your attention. 10 Key E-Discovery Issues In 2011: Expert Insight to Manage Successfully (Metropolitan Corp. Counsel, April 03, 2011).

Convergence: when your appliances run your life...

The Future of In-Car Computing

"PC Pro is running a collection of articles looking at the future of in-car computing technology. They discuss how smartphones will become the primary means of in-car entertainment, how satnavs will be integrated into fighter-jet style heads-up displays, and how cars will create wireless mesh networks that warn each other of upcoming delays and collisions. The also explore the issue of integrating driverless cars onto the roads. 'It's one thing having smart cars that can talk to each other and react accordingly, but if half of the cars are dumb, it's another issue.'"

(Related) At least he didn't blame the computer for turning on the lights and unlocking the doors.

Computer Opens Unmanned Store For Holiday

"The Walkato Times in New Zealand is reporting that someone forgot to tell the computer not to unlock the supermarket on the Friday holiday. 'About half of the 24 people who came into the supermarket paid for their groceries using the self-scan service. The service stopped working after alcohol was scanned, requiring a staff member to check a customer's age before the system is unlocked.' The owner, Mr Miller, was quoted as saying 'I can certainly see the funny side of it... but I'd rather not have the publicity to be honest. It makes me look a bit of a dickhead.' Rather than take legal action, Mr Miller is hoping that the people who didn't pay will do the right thing."

This should interest the Intellectual Property lawyers and anyone looking for a “legitimate” Pirate's Bay. Hackers (white hat?) figured out how Dropbox secured files and built a tool to help users share them.

Dropbox Attempts To Kill Open Source Project

… The HN post linked to a blog post about an open source project called Dropship that allows users to exploit Dropbox’s file hashing scheme to copy files into their account without actually having them. Dropship will save the hashes of a file in JSON format. Anyone can then take these hashes and load the original file into their Dropbox account using Dropship. This has some real potential benefits for Dropbox’s users. Anyone could easily share a private file with someone else by simply giving them the JSON string. No need to make the file public. The downside is potential for abuse in distribution and sharing of illegally pirated files.

As Arthur C. Clarke noted many years ago, countries with no significant infrastructure can adopt the latest technologies while developed countries must justify abandoning their capital investments before upgrading.

State of The Internet: Fiber, Fast Cities & Faster Broadband

The last three months of 2010 were good for broadband, thanks to growing demand for high-speed connections and growing popularity of fiber-based networks in Asia and Europe, according to the State of the Internet Report put together by Cambridge, MA-based Akamai Technologies. According to Akamai data, the global broadband adoption at the end of 2010 was about 61 percent with nine of the top 10 countries having ended 2010 with broadband adoption levels of 90 percent or higher. Given that Akamai has a fairly large and global footprint, the Akamai data is a good proxy for overall trends.

It's not about the melody, but your right to listen or perform the melody.

April 25, 2011

Rethinking Music: A Briefing Book

Rethinking Music: A Briefing Book Compiled and Presented By The Berkman Center for Internet & Society At Harvard University, April 2011.

  • "The Berkman Center for Internet & Society is pleased to present this briefing book to participants in the Rethink Music conference. The book includes the Center’s own framing paper, which introduces a number of issues that will be discussed during the course of the conference. Following that paper are contributions from a wide range of contributors, addressing some of the most current and compelling issues in music law and policy. The first five of those contributions were conceived during an October 2010 meeting at Harvard Law School among a variety of stakeholders interested in helping to shape the agenda for the Rethink Music conference, and they reflect the individual authors’ views on several cutting edge issues of the day. The last two papers reflect the existing or ongoing work of their respective contributors. The respective authors and/or copyright holders retain rights in each of the individual submissions. As noted, some of the submissions are licensed under Creative Commons licenses."

The first death in the Social Networking field? Probably some 'lessons to be learned' here...

Social Network Pioneer Friendster To Erase All User Photos, Blogs And More On May 31

Before MySpace and Facebook, there was Friendster, a pioneering social networking website for consumers. First launched in 2002, Friendster attracted tens of millions of users over the years, but it never quite grew into the online juggernaut it could have been.

Having raised close to $50 million in venture capital, Friendster was acquired by Malaysian payments company MOL Global at the end of 2009 for a reported $40 million.

Fast forward to today, and it looks like Friendster won’t be so much about sharing with friends anymore. In a message to registered members (hat tip to @Mazi), the company is asking all users to install a custom application to export all their profile data, as most of it will be unequivocally deleted on May 31, 2011.

Surprised to learn anyone was still making them. Does this make them more collectable?

A moment of silence: The manual typewriter is finally dead

The humble manual typewriter is officially dead, which may come as something of a surprise considering that word-processing platforms, desktop PC systems, and portable notebook computers have been the norm for so many years.

More pointedly, Mumbai-based Godrej and Boyce—the world’s last typewriter manufacturer—has finally closed its production line, bringing an end to one of history’s most iconic pieces of office equipment.

Monday, April 25, 2011

Suggests that the original design was not repairable? What happened to “Design for Security?”

Sony Rebuilding PlayStation Network Security After Attack

"The outage of Sony's PlayStation Network and Qriocity service, now in its fourth day, looks set to continue after the company said on Sunday that it is 'rebuilding' its system to better guard against attacks. Sony said on Saturday that the outage was caused by an 'external intrusion' into the network, but has yet to detail the problem. The PlayStation Network is used for PlayStation 3 online gaming and sales of software to consoles and the PlayStation Portable. The Qriocity service runs on the same network infrastructure and provides audio and video to Sony consumer electronics products."

For all my students...

April 24, 2011

'HTTPS Now' Campaign Urges Users to Take an Active Role in Protecting Internet Security

News release: "The Electronic Frontier Foundation (EFF) and Access have launched an international campaign for HTTPS Now, rallying consumers around the world to help us make web surfing safer. HTTPS (Hypertext Transfer Protocol Secure) protects web surfing by encrypting requests from a user's browser and the resulting pages that are displayed, but many websites default to using the unencrypted and vulnerable HTTP protocol. The HTTPS Now campaign takes a three-pronged approach to protecting web surfing, including distributing updated tools for people to use to protect their web browsing, taking an Internet-wide survey of the state of HTTPS deployment, and helping website operators implement HTTPS. As a first step, individuals using the web are encouraged to install HTTPS Everywhere, a security tool for the Firefox browser developed by EFF and the Tor Project. HTTPS Everywhere automatically encrypts a user's browsing, changing it from HTTP to HTTPS whenever possible."

Bad Google, bad...

April 24, 2011

Dutch Data Protection Authority issues several administrative orders against Google

News release: "[April 19, 2011], the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP) has issued several administrative orders against Google for incremental penalty payments. Investigations by the CBP show that Google has, for a period of two years, systematically, and without the data subjects’ knowledge, collected MAC addresses of more than 3,6 million WiFi routers, in combination with the calculated location of those routers. This was done by using the so called ‘Street View cars’. MAC addresses in combination with their calculated locations, qualify, in this context, as personal data, because the collected data provide information about the WiFi router’s owners. The Dutch DPA also concludes that Google, using the same Street View cars, collected so called payload data, the contents of internet communication. This information contains personal data such as e-mail addresses, medical data and information concerning financial transactions. Google has been ordered to, within three months, inform the data subjects – off line as well as on line – about the collection of data originating from WiFi routers by the Street View cars. Within the same period of three months, Google must also offer an on line possibility to opt-out from the database in order to enable people to object to the processing of the data concerning their WiFi routers. In case Google does not comply with the administrative order within the time period granted, the penalty amount can increase to a maximum of one million euros. Furthermore, Google is obliged to destroy the payload data it has collected in the Netherlands within four weeks. Read the Dutch press release and the relevant documents (only in Dutch)."

(Related) So perhaps Apple doesn't “need” this data, but someone (DHS?) wants them to keep it anyway? So much for :Opt Out”

IPhone Stored Location in Test Even if Disabled

Apple Inc.'s iPhone is collecting and storing location information even when location services are turned off, according to a test conducted by The Wall Street Journal.

The location data appear to be collected using cellphone towers and Wi-Fi access points near a user's phone and don't appear to be transmitted back to Apple. Apple didn't immediately respond to a request for comment.

Sunday, April 24, 2011

It is gratifying to know that someone reads my Blog. Stephen Rynerson was kind enough to send me some support for my comment in yesterday's post ( Sealed Records Exposed In Major Court Gaffe) that it was quite unlikely that the Court would be unable to determine if their “sensitive information” had been viewed. It makes me feel that on occasion I do know what I'm talking about...

My two cents about the "likely impossible to determine if the sensitive information was viewed or disseminated" is that it is baloney unless the records were destroyed. PACER requires users to be registered and users are billed 8 cents for every page of a document viewed (capped at a cost of 30 pages for a single document). You are shown a receipt with the transaction information each time you access a document. I've pasted an example below. (I've replaced some information with asterisks in case you want to re-post the example elsewhere.) As you can see, it gives the user's login information, the client's billing code (if one is entered), the docket number (under what is called "Description") and the case number. I can't understand how this information wouldn't be available to investigators. (Admittedly, since law firms, libraries, and other institutional users often have a single login that is used by many people, you might not be able to identify the specific individual who looked at a document, but you should certainly be able to narrow down where the record was accessed from.)

The Cloud... An article for my Disaster Recovery students.

April 23, 2011

Report on Major Outage Impacting Cloud Computing Services

NYT: "As technical problems interrupted computer services provided by Amazon for a second day on Friday, industry analysts said the troubles would prompt many companies to reconsider relying on remote computers beyond their control... Amazon set up a side business five years ago offering computing resources to businesses from its network of sophisticated data centers. Today, the company is the early leader in the fast-growing business of cloud computing. In business, the cloud model is rapidly gaining popularity as a way for companies to outsource computing chores to avoid the costs and headaches of running their own data centers — simply tap in, over the Web, to computer processing and storage without owning the machines or operating software. Amazon has thousands of corporate customers, from Pfizer and Netflix to legions of start-ups, whose businesses often live on Amazon Web Services. Those reporting service troubles included Foursquare, a location-based social networking site; Quora, a question-and-answer service; Reddit, a news-sharing site; and BigDoor, which makes game tools for Web publishers."


EC2 Outage Shows How Much the Net Relies On Amazon

"Much has been written about the recent EC2/EBS outage, but Keir Thomas at PC World has a different take: it's shown how much cutting-edge Internet infrastructure relies on Amazon, and we should be grateful. Quoting: 'Amazon is a personification of the spirit of the Internet, which is one of true democracy, access to the means of distribution, and rapid evolution.'"

An article at O'Reilly comes to a similarly positive conclusion from a different angle.

Could be a useful source...

New organization to address online privacy invasion harm

April 23, 2011 by Dissent

A new organization aims to address a long-standing problem: how online invasion of privacy can cause harm to individuals. From their home page:

Without My Consent is a project to combat online invasions of privacy.

It’s no secret that the use of private information to harm a person’s reputation through public humiliation and harassment is an increasingly popular tactic employed by harassers. Because of the online (“cyber”) nature of the activity, victims are often left with no clear path to justice to restore their reputation, and overcome the serious harms caused by the harassment.

This website is intended to empower individuals harmed by online privacy violations to stand up for their rights. The beta launch of the site (set for Summer 2011) will focus on the specific problem of the publication of private images online. It will provide legal and non-legal tools for combating the problem. Our hope is that the site will also inspire meaningful debate about the internet, accountability, free speech, and the serious problem of online invasions of privacy.

See WithoutMyConsent and follow @WithoutConsent on Twitter.

“But everyone on Facebook is my Friend! They would never rat me out.” Not quite ready for the Darwin Award, still it's early days yet.

Teen denies crime, but admits it on Facebook

I am thinking of writing a book about all the faux pas people have committed on Facebook.

Here's another to add to my already large collection of stories for the book, provisionally entitled: "Face It, I'm a Half-wit."

According to the U.K.'s Portsmouth News, a 16-year-old with a clearly refined sense of humor decided to block all the water passages in a restroom at a public library.

Using all of the ingenuity at his disposal, he shoved toilet paper down the sinkholes and then turned on all the taps.

Being socially conscious, he did this late in the evening, so that water would happily pour away all night. Oddly, more than $200,000 worth of damage ensued from his amusement.

Naturally, he pleaded not guilty. This was until the prosecutor, who, having done what so many prosecutors do these days, showed that he had trawled Facebook for the accused's inner musings.

It seems that, though he had publicly protested his innocence, the accused had answered a question on Facebook as to whether he might be guilty. His reply: "Kind of, yeah. I've kept it to myself. A few mates know."

Clearly, these are good mates, the kind that don't rat out their buddies. Unfortunately, perhaps they might have to do a little work on their privacy settings.

I see much the same thing happening with Textbooks. Soon I will be able to mix and match “Chapters” dealing with a single subject – choosing the ones I think best describe the concepts I'm trying to teach.

What Is a Book? The Definition Continues to Blur

It used to be so easy to define what a book was: a collection of printed pages bound inside a cover (hard or soft) that you could place on a shelf in your library, or in a store. Now, there are e-books, and blogs that turn into books, and long pieces of journalism that are somewhere between magazine articles and short books — like the recent opus written by author John Krakauer, published through a new service called Byliner — and a whole series of ongoing attempts to reimagine the entire industry of writing and selling books. If you’re an author, it’s a time of incredible chaos, but also incredible opportunity.

Byliner is one of the most recent entrants into the micro-publishing field, offering a selection of longer works by well-known, non-fiction authors such as Krakauer, who wrote a long magazine-style article about the alleged irregularities involving a charitable effort by fellow mountain climber Greg Mortenson. The piece was available as a free download for the first 72 hours — and saw more than 50,000 copies downloaded — and then was expected to become a paid download. Byliner said it’s planning to publish original works soon by authors William Vollmann and Anthony Swofford as well.

In effect, Byliner is a publisher just like Random House or Macmillan, but it is going to publish small runs of e-books, like a micro-imprint would at one of the larger publishing houses. Because it’s online only, however, Byliner’s costs are likely orders of magnitude lower, and it shares the revenue from the books 50/50 with the author. In a way, the service is positioned midway between the magazine industry and the book-publishing business.

The site joins another boutique e-book publisher called The Atavist, which launched earlier this year and also focuses on long-form journalism — something between a magazine article and a short book-length project. But the Atavist has taken a real new-media approach, by offering its content through mobile applications for the iPhone and iPad, as well as offering multimedia (all stories are available as audio versions as well as print) and Kindle and Nook versions.

These two new ventures join a market where Amazon is already publishing what it calls “Singles,” or short book-length publications that virtually anyone can produce. To take just one example, blogger and founder Chris Dixon recently bundled all his blog posts about venture capital (he’s also an active angel investor) and published them as an Amazon e-book. Journalism professor Jay Rosen mused on Twitter about doing the same thing with his blog posts about the future of media. And the list of publishers grows every day, with the TED conference launching its own e-book imprint recently, and marketing maven Seth Godin starting a new micro-publishing venture (backed by Amazon) called Domino.

Meanwhile, some authors are making millions by self-publishing multiple inexpensive e-books: Amanda Hocking became famous in the industry over the past six months for making over $2 million by self-publishing a dozen fiction books for younger readers, and recently signed a hefty contract with an existing publisher based on that success. Others have gone in the opposite direction; author Barry Eisler, after publishing a number of books through the traditional route, said recently he’s going to start self-publishing, because he will have more control over the process and will keep more of the revenue.

After centuries of not changing very much at all, the book industry is going through the same kind of upheaval as newspapers, Hollywood and the music business are — and that means more uncertainty, but also more opportunity.